Information
Use the Apache TraceEnable directive to disable the HTTP TRACE request method.
Rationale:
The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse and should be disabled.
Solution
Perform the following to implement the recommended state:
Locate the main Apache configuration file such as httpd.conf.
Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like <Directory> or <Location>.
Default Value:
The TRACE method is enabled.