How to Disable HTTP TRACE or Other REQUEST_METHOD in Oracle HTTP Server
(Doc ID 259404.1)
Last updated on AUGUST 15, 2022
Applies to:Oracle HTTP Server - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle HTTP Server - Version 220.127.116.11.0 to 18.104.22.168.0 [Release Oracle11g]
Oracle HTTP Server - Version 22.214.171.124.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Information in this document applies to any platform.
How to Disable HTTP TRACE or Other REQUEST_METHOD
This article describes a way to disable this HTTP TRACE method within the Oracle HTTP Server (OHS) using a rewrite to a Forbidden page, which has been a popular configuration. The same concept will apply to other methods, in case you decide to further limit request methods to the server:
GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
Note: GET and POST are the most popular in any web page, and you likely do not want to disable these.
TRACE was used for this article for the rewrite option because it has been a popular request. It is also a recommendation in the 10.1.3.4 and 10.1.3.5 Patch Set readme files to restrict TRACE as a security precaution. (It is still recommended on all versions, it was just that readme that announced that recommendation). Note that some other methods may be used by Oracle components (and your applications) in ways not explicitly expressed, and are valid HTTP request methods in use within the Internet technologies. However, in some cases, an Administrator may wish to disable one or more by using the rewrite method.
If there is a reason to "restrict" a method because of a security issue, please provide Oracle Support with a testcase that reproduces and shows the security exploit. If its a third party recommendation, please have the third party contact Oracle Security directly:
Reporting Security Vulnerabilities
To protect against all known, fixed and applicable vulnerabilities, Oracle recommends to applying the latest Patch Set and then monitor for Critical Patch Updates on your new version:
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|How to Disable HTTP TRACE or Other REQUEST_METHOD|
|Disable TRACE Method|
|Rewrite TRACE or other Method to a Forbidden Page|
|Verify RewriteRule Works|
|Using Telnet to Verify the Configuration for a Non-SSL Listen Port|
|Using Curl to Verify the Configuration for a SSL Listen Port|