From 9ae931cfe5bc4fe8af0fca21094ad93d4437cfaa Mon Sep 17 00:00:00 2001 From: Robert Linder <26493779+Malvoz@users.noreply.github.com> Date: Thu, 8 Aug 2019 01:27:31 +0200 Subject: [PATCH] Make disabling TRACE method usable in a `.htaccess` file (#169) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Léo Colombaro --- src/security/trace_method.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/security/trace_method.conf b/src/security/trace_method.conf index 7e9a96b2..47c2fbd9 100644 --- a/src/security/trace_method.conf +++ b/src/security/trace_method.conf @@ -5,18 +5,22 @@ # Prevent Apache from responding to `TRACE` HTTP request. # # The TRACE method, while apparently harmless, can be successfully -# leveraged in some scenarios to steal legitimate users' credentials +# leveraged in some scenarios to steal legitimate users' credentials. # # Modern browsers now prevent TRACE requests being made via JavaScript, # however, other ways of sending TRACE requests with browsers have been # discovered, such as using Java. # -# (!) The `TraceEnable` directive will only work in the main server -# configuration file, so don't try to enable it in the `.htaccess` file! +# (!) If you have access to the main server configuration file, use the +# `TraceEnable` directive instead. # # https://tools.ietf.org/html/rfc7231#section-4.3.8 # https://www.owasp.org/index.php/Cross_Site_Tracing # https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) # https://httpd.apache.org/docs/current/mod/core.html#traceenable -TraceEnable Off + + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^TRACE [NC] + RewriteRule .* - [R=405,L] +