Comments (9)
Can someone make a PR?
from server-configs-apache.
last i heard to be pci compliant you need to set TraceEnable off
for some reason we also had to set the following
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* <96> [F]
from server-configs-apache.
π
from server-configs-apache.
From https://httpd.apache.org/docs/current/mod/core.html#TraceEnable
Despite claims to the contrary, TRACE is not a security vulnerability and there is no viable reason for it to be disabled. Doing so necessarily makes your server non-compliant.
@mathiasbynens Can you provide more details on why this should be done? Thanks!
from server-configs-apache.
this is a bit old but if it still holds true...
https://bugzilla.redhat.com/show_bug.cgi?id=463940
http://www.apacheweek.com/issues/03-01-24#news
from server-configs-apache.
As the docs say:
The default
TraceEnable on
permitsTRACE
requests per RFC 2616, which disallows any request body to accompany the request.TraceEnable off
causes the core server andmod_proxy
to return a 405 (Method not allowed) error to the client.
There is no reason to allow TRACE
HTTP requests on a production website.
From https://httpd.apache.org/docs/current/mod/core.html#TraceEnable
Despite claims to the contrary, TRACE is not a security vulnerability and there is no viable reason for it to be disabled. Doing so necessarily makes your server non-compliant.
Note that per RFC 2616, support for HTTP TRACE
is OPTIONAL: http://tools.ietf.org/html/rfc2616#section-5.1.1 So it is perfectly compliant to disable it.
from server-configs-apache.
@efes0, @mathiasbynens Thanks for your comments!
from server-configs-apache.
For the record (and for future search-engine users stumbling across this), the original HTTP/1.1 RFC2616 mentioned above by @mathiasbynens was superceded in 2014 by a collection of updated HTTP/1.1 RFCs.
That said, his point about TRACE
being optional still holds of course. Here's the updated link and verbiage -- i.e., from RFC7231's Overview of Methods:
This specification defines a number of standardized methods that are
commonly used in HTTP, as outlined by the following table.
...
All general-purpose servers MUST support the methods GET and HEAD.
All other methods are OPTIONAL.
from server-configs-apache.
The OWASP documentation on:
Cross-Site Tracing (XST) suggests that:
Modern browsers now prevent TRACE requests being made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.
HTTP offers a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured.
... methods that should be disabled are the following:
PUT: ... An attacker can exploit it by uploading malicious files.
DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack.
CONNECT: This method could allow a client to use the web server as a proxy.
TRACE: ... This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing.
And in Testing for HTTP Verb Tampering:
As long as the web application being tested does not specifically call for any non-standard HTTP methods, testing for HTTP verb tampering is quite simple. If the server accepts a request other than GET or POST, the test fails. The solutions is to disable all non GET or POST functionality within the web application server, or in a web application firewall.
This issue is focusing solely on TRACE
, however if methods other than GET
and POST
are deemed safe to disallow entirely: Just send a 405 Method Not Allowed
for everything else?
E.g:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST) [NC]
RewriteRule .* - [R=405,L]
from server-configs-apache.
Related Issues (20)
- Feature request: video/mov in .htaccess? HOT 4
- SSL auto renewal blocked by www redirect HOT 2
- Missing version in custom `.htaccess` builds HOT 8
- `DirectoryIndex` comment if pre-compressed content is enabled HOT 4
- Question: mpm_winnt_module HOT 3
- Remove `image/avif-sequence` MIME type HOT 6
- Variable evaluation in build script HOT 2
- Add build parameter to generate `.htaccess` without comments HOT 2
- `ServerTokens Prod` missing HOT 2
- Missing `<IfModule mod_authz_core.c>` block HOT 1
- Remove `<IfModule>` from `Options -Indexes` HOT 1
- Add `<IfModule http2_module>` for h2 protocol support HOT 9
- Add note about `RewriteOptions Inherit` HOT 3
- `Permissions-Policy` header for Google βTopics APIβ HOT 1
- Add `Document Policy` to security section HOT 2
- Add `Shared Brotli` and `Shared Zstandard` (zstd) HOT 2
- Error with `Permissions-Policy` header: Unrecognized feature: `'document-domain'` HOT 1
- Format `Content-Security-Policy` header directives HOT 4
- Add `ExpiresByType` for `audio/mp4` with `"access plus 1 year"` HOT 3
- Fallback with ExpiresDefault does not seem to include images HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server-configs-apache.