HTTP Trace method contains instance information

Learn how to trace HTTP method containing instance information by setting TraceEnable off to each enabled vhost.

Description description

Environment

Experience Manager

Issue/Symptoms

A pentest was performed and the following medium risk was found: Unnecessary HTTP method TRACE enabled.

The site was requested with the domain header, but the HTTP response contains information about the server’s name. This allows attackers to see original host name and AEM instance name. The response header is coming from load balancers. Is it possible to mask the X-Original-Host in the HTTP responses?

Resolution resolution

The solution is to set TraceEnable off to each enabled vhost as per below:


< VirtualHost *:80>
ServerName"customer-publish"
ServerAlias “customer.com”
TraceEnable off

< /VirtualHost>

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f