Skip to content

Commit

Permalink
Add TraceEnable Off
Browse files Browse the repository at this point in the history
Fix #59
  • Loading branch information
LeoColomb committed Nov 24, 2018
1 parent 4d28cd7 commit 0ac9adb
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 0 deletions.
1 change: 1 addition & 0 deletions htaccess.conf
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ disable "src/security/strict-transport-security.conf"
enable "src/security/x-content-type-option.conf"
disable "src/security/x-xss-protection.conf"
disable "src/security/referrer-policy.conf"
disable "src/security/trace_method.conf"
enable "src/security/x-powered-by.conf"
enable "src/security/server_software_information.conf"

Expand Down
22 changes: 22 additions & 0 deletions src/security/trace_method.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# ----------------------------------------------------------------------
# | Disable TRACE HTTP Method |
# ----------------------------------------------------------------------

# Prevent Apache from responding to `TRACE` HTTP request.
#
# The TRACE method, while apparently harmless, can be successfully
# leveraged in some scenarios to steal legitimate users' credentials
#
# Modern browsers now prevent TRACE requests being made via JavaScript,
# however, other ways of sending TRACE requests with browsers have been
# discovered, such as using Java.
#
# (!) The `TraceEnable` directive will only work in the main server
# configuration file, so don't try to enable it in the `.htaccess` file!
#
# https://tools.ietf.org/html/rfc7231#section-4.3.8
# https://www.owasp.org/index.php/Cross_Site_Tracing
# https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
# https://httpd.apache.org/docs/current/mod/core.html#traceenable

TraceEnable Off
1 change: 1 addition & 0 deletions test/htaccess_fixture.conf
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ enable "src/security/strict-transport-security.conf"
enable "src/security/x-content-type-option.conf"
enable "src/security/x-xss-protection.conf"
enable "src/security/referrer-policy.conf"
omit "src/security/trace_method.conf"
enable "src/security/x-powered-by.conf"
enable "src/security/server_software_information.conf"

Expand Down

0 comments on commit 0ac9adb

Please sign in to comment.