Last updated on MARCH 28, 2017
Applies to:Oracle HTTP Server - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle HTTP Server - Version 220.127.116.11.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Information in this document applies to any platform.
How to Disable HTTP TRACE or Other REQUEST_METHOD
This article describes a way to disable this HTTP TRACE method within the Oracle HTTP Server (OHS) using a rewrite to a Forbidden page, which has been a popular configuration. The same concept will apply to other methods, in case you decide to further limit request methods to the server:
GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
Note: GET and POST are the most popular in any web page, and you likely do not want to disable these.
TRACE was used for this article for the rewrite option because it has been a popular request. It is also a recommendation in the 10.1.3.4 and 10.1.3.5 Patch Set readme files to restrict TRACE as a security precaution. Note that some other methods may be used by Oracle components (and your applications) in ways not explicitly expressed, and are valid HTTP request methods in use within the Internet technologies. However, in some cases, an Administrator may wish to disable one or more by using the rewrite method.
If there is a reason to "restrict" a method because of a security issue, please provide Oracle Support with a testcase that reproduces and shows the security exploit. If its a third party recommendation, please have the third party contact Oracle Security directly:
Reporting Security Vulnerabilities
To protect agsist all known, fixed and applicable vulnerabilities, Oracle recommends to applying the latest Patch Set and then monitor for Critical Patch Updates on your new version:
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms