The Nessus rule has very precise guide for disabling:
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACETRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
So in my Apache main config file I putted TraceEnable off.
I will check the Nessus scan results after these changes.
If you can not wait for that, you can use telnet to check if TRACE is actually off:
telnet your.server 80
TRACE / HTTP/1.1
Host: a.valid.hostname
sometext
2 comments:
Would this be done by inserting the code into the apache hppd.conf?
yes
Post a Comment