Make disabling TRACE method usable in a .htaccess file (#169)

Co-authored-by: Léo Colombaro <git@colombaro.fr>
h5bp · Aug 7, 2019 · 9ae931c · 9ae931c
1 parent ad25d31
commit 9ae931c
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/src/security/trace_method.conf b/src/security/trace_method.conf
@@ -5,18 +5,22 @@
 # Prevent Apache from responding to `TRACE` HTTP request.
 #
 # The TRACE method, while apparently harmless, can be successfully
-# leveraged in some scenarios to steal legitimate users' credentials
+# leveraged in some scenarios to steal legitimate users' credentials.
 #
 # Modern browsers now prevent TRACE requests being made via JavaScript,
 # however, other ways of sending TRACE requests with browsers have been
 # discovered, such as using Java.
 #
-# (!) The `TraceEnable` directive will only work in the main server
-# configuration file, so don't try to enable it in the `.htaccess` file!
+# (!) If you have access to the main server configuration file, use the 
+#     `TraceEnable` directive instead.
 #
 # https://tools.ietf.org/html/rfc7231#section-4.3.8
 # https://www.owasp.org/index.php/Cross_Site_Tracing
 # https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
 # https://httpd.apache.org/docs/current/mod/core.html#traceenable
 
-TraceEnable Off
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
+    RewriteRule .* - [R=405,L]
+</IfModule>