The HTTP TRACE method is a type of HTTP request that is used to perform a message loopback test on the path to the target resource. As mentioned this method is dedicated for testing purposes and shouldn't be allowed on production website.
You can easily check the status of the HTTP TRACE method on the website with this command:
curl --insecure -v -X TRACE https://ibms3:1967if method HTTP TRACE is allowed then output will contain something like this :
...
* using HTTP/1.x
> TRACE / HTTP/1.1
> Host: ibms3:1967
> User-Agent: curl/8.6.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Date: Wed, 15 Jan 2025 14:39:03 GMT
< Server: Apache
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
Host: ibms3:1967
User-Agent: curl/8.6.0
Accept: */*
* Leftovers after chunking: 7 bytes
* Connection #0 to host ibms3 left intactWe disable this method with the TraceEnable Off directive in the configuration file.
After restarting Web server you can see HTTP/1.1 405 Method Not Allowed in response :
...
* using HTTP/1.x
> TRACE / HTTP/1.1
> Host: ibms3:1967
> User-Agent: curl/8.6.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 405 Method Not Allowed
< Date: Wed, 15 Jan 2025 14:37:44 GMT
< Server: Apache
< Allow:
< Content-Length: 222
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
<p>The requested method TRACE is not allowed for this URL.</p>
</body></html>
* Connection #0 to host ibms3 left intact