Main Menu
Book Sale! Code WP2025 takes 20% OFF our Pro Plugins & Books »
Perishable Press
Web Dev + WordPress + Security
eBook: The Tao of WordPress
The Tao of WordPress: Master the art of WordPress.
Related Posts
+ More related posts »

Disable Trace and Track for Better Security

♦ Posted by in .htaccess, Security
Updated 27 comments

The shared server on which I host Perishable Press was recently scanned by security software that revealed a significant security risk. Namely, the HTTP request methods TRACE and TRACK were found to be enabled on my webserver. The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.

Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution, of course, is disable these methods on your webserver.

How to disable the TRACE and TRACK methods

To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to either your main configuration file or root HTAccess file:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

These directives disable the TRACE and TRACK methods via the following process:

  • RewriteEngine on — enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)
  • RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) — targets all TRACE and TRACK request methods for the following rule
  • RewriteRule .* - [F] — return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)

With these rules in place, your site is protected against one more potential security vulnerability :)

http tips tricks
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Digging Into WordPress: Take your WordPress skills to the next level.
← Next Post
Previous Post →

27 responses to “Disable Trace and Track for Better Security”

  1. Jeff Starr 2010/09/13 1:58 pm • Post Author

    Thanks for the information, Abraham – it definitely helps :)

  2. C0nw0nk 2011/09/08 3:07 pm

    Did you guys know if you have root access to your servers you can disable trace with a command.

    TraceEnable Off

    Thought i would just share it with you incase you are not aware.

  3. ishwor 2013/01/14 12:54 am

    I OFF the TraceEnable but still i can see HTTP Request trace from firebug.

123
Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
Finally finished my ultimate block list to stop AI bots :) Blocks over 100 AI bots!
After 10 years working late at night, my schedule has changed. I am now a “morning person”, starting my day at 6am or earlier.
Nice update for Wutsearch search engine launchpad. Now with 19 engines including Luxxle AI-powered search.
New version of 8G Firewall (v1.4) now available for download :)
Wishing everyone a prosperous and bright New Year!
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
+ More thoughts »
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.
Topics
Perishable Press Newsletter
Get news, updates, deals & tips via email.
Your email will remain private. Easy unsubscribe anytime.
Find me on the social medias
Around the site
WordPress help
Favorite projects
© 2004–2025 Perishable Press • Yes Theme by Monzilla Media • Built w/ shapeSpaceSitemapPolicyRSSJohn 3:16