Details
The HTTP TRACE verb provides debugging and diagnostics information for a given request.
Rationale:
Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.
Solution
Perform the following to prevent Tomcat from accepting a TRACE request:
Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false.
Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml.
Add the following as a child of the web-app root element, if present, in each web applications web.xml:
…
…
…
Default Value:
Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.