The TRACE method must be disabled.

From APACHE 2.2 Server for Windows Security Technical Implementation Guide

SV-33183r1_rule The TRACE method must be disabled.

Vulnerability discussion

Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled.

Check content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a or directive). Also ensure that the TraceEnable directive is set to “Off”. If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".

Fix text

Disable the TraceEnable directive by setting it to "off".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.