Tomcat - Disable TRACE Method
This article has been superseded by this one.
No further updates will be made to this article.
I've been seeing some searches get directed to this site for folks looking for ways to disable the HTTP TRACE method on tomcat. If you are using tomcat 4.1+, 5.5+. or 6.0+, by default the TRACE method is disabled. If you are getting tagged by a PCI scanner that TRACE/TRACK is enabled, there are three possible reasons that I can think of.
The first cause is that you actually do have trace enabled. Check your server.xml and look in the HTTP connector section for an attribute labeled "allowTrace". If set to True, get rid of it or change it to False.
The second cause is that your tomcat is front-ended by an apache or IIS server that has trace enabled and you need to remediate there, not at tomcat.
The third potential cause is that your seeing a false positive. False positives usually pop up for me when using custom errors or redirects and when the scanner hits a particular page and gets redirected, the 302 is not an expected response.