-====================-
We add these lines to httpd.conf
CODE
ServerSignature Off
ServerTokens Prod
ServerTokens Prod
Disable TRACE - avoid XSS Attacks
-==========================-
At the end of httpd.conf we add the following lines
CODE
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Checking if TRACE is enabled
-======================-
CODE
#telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
if TRACE is enabled then we will take something like this
CODE
HTTP/1.1 200 OK
Date: Thu, 22 Mar 2007 18:35:44 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http
25
TRACE / HTTP/1.1
Host: 127.0.0.1
Date: Thu, 22 Mar 2007 18:35:44 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http
25
TRACE / HTTP/1.1
Host: 127.0.0.1
else if TRACE is disabled...
CODE
HTTP/1.1 403 Forbidden
Date: Thu, 22 Mar 2007 18:36:30 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
c6
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>
</BODY></HTML>
Date: Thu, 22 Mar 2007 18:36:30 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
c6
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>
</BODY></HTML>