Parameter:
HTTPDisableTRACEShort description: Disables the HTTP TRACE method on the web server – important security hardening against cross-site tracing (XST).
Profile
Parameter | HTTPDisableTRACE |
Category | HTTP / Web |
Component | Server |
Available since | 9.0.1 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Configuration document |
Possible values | 0 = TRACE allowed (default), 1 = TRACE blocked |
Description
The HTTP method
TRACE echoes the request, including all headers, back to the client. In combination with cross-site scripting, this can be abused to exfiltrate cookies or auth headers (cross-site tracing / XST). HTTPDisableTRACE=1 instructs the Domino HTTP task to consistently reject TRACE requests with 405 Method Not Allowed (or 403). Standard hardening for all publicly reachable Domino web servers.Example configuration
HTTPDisableTRACE=1
Notes & pitfalls
- Frequently checked explicitly by pen-testing / compliance tools (Qualys, Nessus, OWASP checks).
- Diagnostic tools that legitimately use TRACE are very rare – practical impact is essentially zero.
- Takes effect after an HTTP restart (
tell http restart).
- Pairs well with
HTTPDisableXFrameOptions=0,HTTP_SESSION_COOKIES_SECURE=1, HSTS, and CSP headers for a consistent hardening profile.