httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] TRACE feature
Date Thu, 28 Aug 2003 17:34:03 GMT

On Thu, 28 Aug 2003, slipmode wrote:

> Hello
> I read this paper describing the vulnerabilities of running TRACE on
> apache.
> It does not mention the exact method of disabling TRACE from apache. It
> mentions a modification to the source code which I cannot find.
> Is there a specific need to run TRACE on production servers and how can
> it be removed? It seems most distros use TRACE by default. RedHat,
> Slackware and Gentoo I know use it. Is there any not running it? This
> article implies that there is.

Don't believe everything you read.

Disabling TRACE will do practically nothing to secure your server.  There
was an extensive discussion on Bugtraq related to this.  See, for example:
And see the discussion in apacheweek:


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message