Add TraceEnable Off

Fix #59

htaccess.conf

@@ -75,6 +75,7 @@ disable "src/security/strict-transport-security.conf"
 enable  "src/security/x-content-type-option.conf"
 disable "src/security/x-xss-protection.conf"
 disable "src/security/referrer-policy.conf"
+disable "src/security/trace_method.conf"
 enable  "src/security/x-powered-by.conf"
 enable  "src/security/server_software_information.conf"
 

src/security/trace_method.conf

@@ -0,0 +1,22 @@
+# ----------------------------------------------------------------------
+# | Disable TRACE HTTP Method                                          |
+# ----------------------------------------------------------------------
+
+# Prevent Apache from responding to `TRACE` HTTP request.
+#
+# The TRACE method, while apparently harmless, can be successfully
+# leveraged in some scenarios to steal legitimate users' credentials
+#
+# Modern browsers now prevent TRACE requests being made via JavaScript,
+# however, other ways of sending TRACE requests with browsers have been
+# discovered, such as using Java.
+#
+# (!) The `TraceEnable` directive will only work in the main server
+# configuration file, so don't try to enable it in the `.htaccess` file!
+#
+# https://tools.ietf.org/html/rfc7231#section-4.3.8
+# https://www.owasp.org/index.php/Cross_Site_Tracing
+# https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
+# https://httpd.apache.org/docs/current/mod/core.html#traceenable
+
+TraceEnable Off

test/htaccess_fixture.conf

@@ -73,6 +73,7 @@ enable  "src/security/strict-transport-security.conf"
 enable  "src/security/x-content-type-option.conf"
 enable  "src/security/x-xss-protection.conf"
 enable  "src/security/referrer-policy.conf"
+omit    "src/security/trace_method.conf"
 enable  "src/security/x-powered-by.conf"
 enable  "src/security/server_software_information.conf"