Ensure HTTP Trace Method is disabled

The HTTP TRACE method returns the contents of the client HTTP requests in the entity-body of the TRACE response. Attackers can leverage this behavior to access the sensitive information, such as the authentication data or the cookies, contained in the HTTP headers of the request. This can be mitigated by using the <verbs> element of the <requestFiltering> collection. The <verbs> element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan. It is recommended the HTTP TRACE method be denied.

  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane, select the site, application, or directory to be configured.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb in the Actions pane.
  5. In the Deny Verb dialog box, specify the TRACE, and then click OK.