Skip to main content

.htaccess Disable TRACE HTTP Method

Disable TRACE HTTP Method

The TRACE method can be successfully exploited in some scenarios to steal legitimate users' credentials.

Modern browsers now prevent TRACE requests made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.

If you have access to the main server configuration file, use the TraceEnable directive instead.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
RewriteRule .* - [R=405,L]
</IfModule>

Table of Contents