The response to a TRACE request includes the HTTP headers sent by the client, which could include sensitive information such as cookies. Although it is not a concern for a user to see the headers being sent by his or her own browser, a user could be tricked into sending these headers to an attacker by following a specially-crafted link on another web server. This vulnerability is known as cross-site tracing, which is a variant of the well-known cross-site scripting vulnerability. A web server which is vulnerable to cross-site tracing could be exploited by a malicious web site to trick an unsuspecting user into revealing sensitive information to an attacker.

• Microsoft IIS: Use URL Scan to filter both TRACE and TRACK requests.
• Apache 1.3.34 and 2.0.55 and higher: Use the TraceEnable directive to disable the TRACE method. Add the following line to the configuration file: TraceEnable Off
• Apache (all versions): Enable the mod_rewrite module, and add the following lines to the configuration file:

  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]

• iPlanet: Disabling the TRACE request method currently requires making a change to a shared object library. See the White Paper for details.
• BEA WebLogic Server and Express: Upgrade and apply the appropriate patch described in the BEA Advisory BEA04-48.01.
• Sun Java System Application Server Upgrade to enterprise edition 8.2 or higher when available.

Mac OS cross-site tracing was reported in Apple article HT3937.