Issue: Apache supports the TRACE and/or TRACK methods by default. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to obtain the credentials of a legitimate user. Solution: Disable these methods by adding the following lines for each virtual host in httpd.conf: RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Could the above lines be added to the apache.conf?
*** This bug has been marked as a duplicate of 26529 ***