Skip to end of metadata
Go to start of metadata

Trace is used as an input data logging mechanism for the HTTP protocol. This request method is commonly used for debug and other connection analysis activities.
The HTTP trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request.

Trace provides an easy to way to tell what an HTTP client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method exposed no known risk, default settings were considered good enough or simply had no option to do so.

But in fact there is a risk since your web server echoes sensitive information in Trace requests.

The standard way to disable trace in jetty is the configuration of the web.xml like

<security-constraint>
 	<web-resource-collection>
 		<web-resource-name>NoTrace</web-resource-name>
 		<url-pattern>/*</url-pattern>
 		<http-method>TRACE</http-method>
 	</web-resource-collection>
 	<auth-constraint>
 	</auth-constraint>
</security-constraint>

This does not work with Jetty running in JobScheduler. This is the reason why we disabled the trace method in the Jetty plugin starting with release 1.7.xxxx

Write a comment…