2.6 Turn off TRACE

Information

The HTTP TRACE verb provides debugging and diagnostics information for a given request.

Rationale:

Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from accepting a TRACE request:

Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false.

<Connector ... allowTrace='false' />

Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml.

Add the following as a child of the web-app root element, if present, in each web applications web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
...
<http-method>TRACE</http-method>
...
</web-resource-collection>
...
</security-constraint>

Default Value:

Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-1, 800-53|AU-2, CSCv7|14.9

Plugin: Unix

Control ID: 8d08f54beb85ebb6cb89d9b27a33500dcd590f4c721bb78ce03e44ff6c034558