Automatically, Apache 2..52 will react to any HTTP TRACE request it receives. This can be a potential security problem since it makes it possible for certain kinds of XSS attacks. For particulars, see http://world wide web.apacheweek.com/issues/03-01-24#news

I'm attempting to disable TRACE demands by using the instructions proven within the page associated with above. I added the next lines of code to my http.conf file, and restarted apache:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

However, after i send a TRACE request to my web server, it appears to disregard the rewrite rules and responds as though TRACE demands remained as enabled.

For instance:

[admin2@dedicated ~]$ telnet XXXX.com 80
Trying XXXX...
Connected to XXXX.com (XXXX).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test: foobar

HTTP/1.1 200 OK
Date: Sat, 11 Jul 2009 17:33:41 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
X-Test: foobar

Connection closed by foreign host.

The server should respond with 403 Forbidden. Rather, it echoes back my request having a 200 OK.

Like a test, I transformed the RewriteCond to % ^GET

After I do that, Apache properly responds to any or all GET demands with 403 Forbidden. However when I change Return to TRACE, still it allows TRACE demands through.

How do i get Apache to prevent reacting to follow demands?

As is available stated, that actually works inside your VirtualHost block. While you did not show httpd.conf I can not say why your initial attempt did not work - it's context-sensitive.

It unsuccessful within the since it is not necessarily relevant there, that's generally for access control. Whether it did not operate in the .htaccess the chances are apache wasn't searching for it (you should use AllowOverride make it possible for them).

Some versions require:

TraceEnable Off

I determined the right way to get it done.

I'd attempted placing the block of rewrite directives in three places: within the <Directory "/var/www/html"> area of the httpd.conf file, towards the top of my httpd.conf file, as well as in the /var/world wide web/html/.htaccess file. None of those three techniques labored.

Finally, however, I attempted putting the block of code in <VirtualHost *:80> a part of my httpd.conf. For whatever reason, it really works when it's placed. there.