diff --git a/htaccess.conf b/htaccess.conf index d7cf3663..233cbe30 100644 --- a/htaccess.conf +++ b/htaccess.conf @@ -75,6 +75,7 @@ disable "src/security/strict-transport-security.conf" enable "src/security/x-content-type-option.conf" disable "src/security/x-xss-protection.conf" disable "src/security/referrer-policy.conf" +disable "src/security/trace_method.conf" enable "src/security/x-powered-by.conf" enable "src/security/server_software_information.conf" diff --git a/src/security/trace_method.conf b/src/security/trace_method.conf new file mode 100644 index 00000000..7e9a96b2 --- /dev/null +++ b/src/security/trace_method.conf @@ -0,0 +1,22 @@ +# ---------------------------------------------------------------------- +# | Disable TRACE HTTP Method | +# ---------------------------------------------------------------------- + +# Prevent Apache from responding to `TRACE` HTTP request. +# +# The TRACE method, while apparently harmless, can be successfully +# leveraged in some scenarios to steal legitimate users' credentials +# +# Modern browsers now prevent TRACE requests being made via JavaScript, +# however, other ways of sending TRACE requests with browsers have been +# discovered, such as using Java. +# +# (!) The `TraceEnable` directive will only work in the main server +# configuration file, so don't try to enable it in the `.htaccess` file! +# +# https://tools.ietf.org/html/rfc7231#section-4.3.8 +# https://www.owasp.org/index.php/Cross_Site_Tracing +# https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) +# https://httpd.apache.org/docs/current/mod/core.html#traceenable + +TraceEnable Off diff --git a/test/htaccess_fixture.conf b/test/htaccess_fixture.conf index ee6d481c..8de6fcaf 100644 --- a/test/htaccess_fixture.conf +++ b/test/htaccess_fixture.conf @@ -73,6 +73,7 @@ enable "src/security/strict-transport-security.conf" enable "src/security/x-content-type-option.conf" enable "src/security/x-xss-protection.conf" enable "src/security/referrer-policy.conf" +omit "src/security/trace_method.conf" enable "src/security/x-powered-by.conf" enable "src/security/server_software_information.conf"