Introduction
Recently I got a request for disabling TRACE method calls in the application for security reasons because an attacker could have access to some information that would allow them to find a breach.
Solution
Considering the application is using spring boot, there are some steps to follow.
Change application.properties
The following line should be added in the application.properties file:
1
spring.mvc.dispatch-trace-request=true
This change is required to tell spring that the TRACE requests should go now through the FrameworkServlet doService method just as other methods. So we will be able to intercept it.
Configuration Spring MVC
In order to configure Spring MVC, we just need to create a configuration class extending WebMvcConfigurer. Here you can see an example in kotlin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
@Configuration
class WebConfig : WebMvcConfigurer {
override fun addInterceptors(registry: InterceptorRegistry) {
registry.addInterceptor(TraceMethodInterceptor()).addPathPatterns("/**")
}
private class TraceMethodInterceptor : HandlerInterceptor {
override fun preHandle(
request: HttpServletRequest,
response: HttpServletResponse,
handler: Any,
): Boolean {
if (HttpMethod.TRACE.matches(request.method)) {
response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED)
return false
}
return true
}
}
}
In the example we are doing the following:
- Creating a new interceptor called
TraceMethodInterceptorwhich will always responds as METHOD_NOT_ALLOWED when any TRACE request is executed againist our application - Adding the interceptor in spring
- Adding the pattern that will be intercepted with
addPathPatterns("/**")
Conclusion
That’s should be enough for disabling incoming TRACE requests in our application. I also created a repository in github so you can have all the details of the application such as tests for verifying that the implementation works.
Hope it helps! :)