Skip to content

HTTP TRACE and TRACK Methods Enabled

Scan IDsmisconfiguration.http_trace, misconfiguration.http_track
SeverityInfo
ClassificationsCWE-489: Active Debug Code
OWASP CategoryOWASP API8:2023 Security Misconfiguration

The HTTP TRACE and TRACK methods are debugging methods that instruct the web server to echo back the complete incoming request — including all headers — as the response body. This means any Authorization, Cookie, or custom header sent with the request is returned verbatim in the response.

In a Cross-Site Tracing (XST) attack, a browser-based script that can issue TRACE requests could use this echo behaviour to steal HttpOnly cookies or authorization headers that would otherwise be inaccessible to JavaScript. While modern browser security policies (CSP, CORS, SameSite) mitigate many XST paths, leaving TRACE/TRACK enabled violates the principle of least privilege and may expose sensitive headers in logs, proxies, or less-protected environments.

TRACE /api/users HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiI...
X-Custom-Internal: secret
HTTP/1.1 200 OK
Content-Type: message/http
TRACE /api/users HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiI...
X-Custom-Internal: secret

The full request — including Authorization — is reflected back in the response body.

Terminal window
vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_trace --scans misconfiguration.http_track

VulnAPI supports scanning against various types of other vulnerabilities as well.

  • Header exposure: Authorization, Cookie, and custom internal headers sent with a TRACE request are reflected in the response body, making them readable by any party that can observe the response (intermediate proxies, logs, browser scripts under certain conditions).
  • Debug information leakage: internal headers (X-Internal-User, X-Request-ID, etc.) that would not normally be visible to clients may be exposed.
  • Cross-Site Tracing (XST): in older browser environments or when combined with other vulnerabilities, TRACE can be used to steal credentials from browser-based clients.

Disable TRACE and TRACK at the web server level.

Nginx — restrict to allowed methods only:

location / {
limit_except GET POST PUT DELETE PATCH OPTIONS {
deny all;
}
}

Apache — disable TRACE globally:

TraceEnable Off

Express (Node.js) — reject TRACE/TRACK in middleware:

app.use((req, res, next) => {
if (req.method === 'TRACE' || req.method === 'TRACK') {
return res.status(405).send('Method Not Allowed');
}
next();
});

Verify the fix by checking that TRACE returns a 405 Method Not Allowed response:

Terminal window
curl -X TRACE https://api.example.com/ -i
# Expected: HTTP/1.1 405 Method Not Allowed