My Oracle Support Banner

How to Disable HTTP TRACE or Other REQUEST_METHOD in Oracle HTTP Server (Doc ID 259404.1)

Last updated on AUGUST 09, 2023

Applies to:

Oracle HTTP Server - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle HTTP Server - Version 11.1.1.2.0 to 11.1.1.9.0 [Release Oracle11g]
Oracle HTTP Server - Version 12.1.3.0.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Information in this document applies to any platform.

Goal

How to Disable HTTP TRACE or Other REQUEST_METHOD

This article describes a way to disable this HTTP TRACE method within the Oracle HTTP Server (OHS) using a rewrite to a Forbidden page, which has been a popular configuration. The same concept will apply to other methods, in case you decide to further limit request methods to the server:

 

GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR

Note: GET and POST are the most popular in any web page, and you likely do not want to disable these.



 

 

Note:
TRACE was used for this article for the rewrite option because it has been a popular request. It is also a recommendation in the 10.1.3.4 and 10.1.3.5 Patch Set readme files to restrict TRACE as a security precaution. (It is still recommended on all versions, it was just that readme that announced that recommendation). Note that some other methods may be used by Oracle components (and your applications) in ways not explicitly expressed, and are valid HTTP request methods in use within the Internet technologies. However, in some cases, an Administrator may wish to disable one or more by using the rewrite method.

If there is a reason to "restrict" a method because of a security issue, please provide Oracle Support with a testcase that reproduces and shows the security exploit. If its a third party recommendation, please have the third party contact Oracle Security directly:

Reporting Security Vulnerabilities
https://www.oracle.com/technology/deploy/security/alerts.htm#ReportingVulnerabilities 

To protect against all known, fixed and applicable vulnerabilities, Oracle recommends to applying the latest Patch Set and then monitor for Critical Patch Updates on your new version:

https://www.oracle.com/technetwork/topics/security/alerts-086861.html 

 



Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
 How to Disable HTTP TRACE or Other REQUEST_METHOD
Solution
 Disable TRACE Method
 Rewrite TRACE and Other Methods to a Forbidden Page
 Verify RewriteRule Works
 Using Telnet to Verify the Configuration for a Non-SSL Listen Port
 Using Curl to Verify the Configuration for a SSL Listen Port
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.