TRACK and TRACE HTTP Methods

TRACK and TRACE HTTP Methods

by Brian Ball -
Number of replies: 3
So my security guy is using the NESSUS scanner and has alerted me to some issues on my Moodle server. "The remote web server supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections."
I'm assuming right away this may have to do with the Development/Debugging feature built into the WebUI. 
Has anyone come across this? Is Moodle going to break if I disable these methods?
Average of ratings: -
In reply to Brian Ball

Re: TRACK and TRACE HTTP Methods

by Ken Task -
Picture of Particularly helpful Moodlers

Please see:

https://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

once you disable, check how moodle is affected ...

Then, in config.php file add:

$CFG->debug=1;
$CFG->debugdisplay=1;

Check site.

Then mess up the the config.php file by removing the ';' at the end of the debugdisplay and debug lines.

Hit site.

Remove those lines from config.php when you are done.

'SoS', Ken

Average of ratings: -
In reply to Brian Ball

Re: TRACK and TRACE HTTP Methods

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Brian,
TRACK and TRACE are HTTP Methods you should disable in the Web Server serving the Moodle pages. Moodle is not a Web Server.

Moodle runs on top of DELETE GET HEAD OPTIONS POST PUT HTTP Methods.

HTH,
Matteo

Average of ratings: -