« Updated Powershell Script to Test For Trace | Main | BigIP - Disabling SSLv2, Null and Weak Ciphers »

08/29/2008

Tomcat - Disable TRACE Method

This article has been superseded by this one. 
No further updates will be made to this article. 

I've been seeing some searches get directed to this site for folks looking for ways to disable the HTTP TRACE method on tomcat. If you are using tomcat 4.1+, 5.5+. or 6.0+, by default the TRACE method is disabled. If you are getting tagged by a PCI scanner that TRACE/TRACK is enabled, there are three possible reasons that I can think of.

The first cause is that you actually do have trace enabled. Check your server.xml and look in the HTTP connector section for an attribute labeled "allowTrace". If set to True, get rid of it or change it to False.

The second cause is that your tomcat is front-ended by an apache or IIS server that has trace enabled and you need to remediate there, not at tomcat.

The third potential cause is that your seeing a false positive. False positives usually pop up for me when using custom errors or redirects and when the scanner hits a particular page and gets redirected, the 302 is not an expected response.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01156fbc6fe6970c01157228818b970b

Listed below are links to weblogs that reference Tomcat - Disable TRACE Method:

Comments