Categories
Apache Linux PCI Security SSL Windows

PCI Audit Remediation for TRACE and TRACK issues on apache

PCI Audits often reveal TRACE & TRACK as issues that must be handled before the website can be considered PCI compliant.

If you are running apache 2.x, the following directives will disable TRACE & TRACK functionality.

This change needs to be made in /etc/httpd/conf/httpd.conf:
ServerTokens OS
TraceEnable OFF

The Mod_rewrite directives below need to be added to all paragraphs in both of the following locations:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf

nsert this code right before for each Virtual Host

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]