How to Disable HTTP TRACE or Other REQUEST_METHOD (Doc ID 259404.1)

Last updated on MARCH 28, 2017

Applies to:

Oracle HTTP Server - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle HTTP Server - Version 11.1.1.2.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Information in this document applies to any platform.

Goal

How to Disable HTTP TRACE or Other REQUEST_METHOD

This article describes a way to disable this HTTP TRACE method within the Oracle HTTP Server (OHS) using a rewrite to a Forbidden page, which has been a popular configuration. The same concept will apply to other methods, in case you decide to further limit request methods to the server:

 

GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR

Note: GET and POST are the most popular in any web page, and you likely do not want to disable these.



 

 

Note:
TRACE was used for this article for the rewrite option because it has been a popular request. It is also a recommendation in the 10.1.3.4 and 10.1.3.5 Patch Set readme files to restrict TRACE as a security precaution. Note that some other methods may be used by Oracle components (and your applications) in ways not explicitly expressed, and are valid HTTP request methods in use within the Internet technologies. However, in some cases, an Administrator may wish to disable one or more by using the rewrite method.

If there is a reason to "restrict" a method because of a security issue, please provide Oracle Support with a testcase that reproduces and shows the security exploit. If its a third party recommendation, please have the third party contact Oracle Security directly:

Reporting Security Vulnerabilities
http://www.oracle.com/technology/deploy/security/alerts.htm#ReportingVulnerabilities
 

To protect agsist all known, fixed and applicable vulnerabilities, Oracle recommends to applying the latest Patch Set and then monitor for Critical Patch Updates on your new version:

http://www.oracle.com/technetwork/topics/security/alerts-086861.html 

 



Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms