Search Results
  1. HTTP (Hypertext Transfer Protocol)
  1. HTTP Methods
  1. TRACE
    1. Writing requests (clients)
    2. Reading requests (intermediaries)
    3. Reading requests (origin servers)
    4. Security concerns
    5. Overview table

TRACE

The TRACE method requests an application-level loop-back of the request message.

Writing requests (clients)

TRACE may be used for debugging HTTP pipelines through proxies and gateways; is not typically used for day-to-day or automated use. It may be combined with the Max-Forwards request header to troubleshoot which node in the chain is seeing what request message.

HTTP prohibits attaching sensitive information to TRACE requests if that information is not supposed to be disclosed in the response. Clients that must send HTTP messages with ambient authority, that cannot manage this requirement, are better off prohibiting TRACE requests altogether.

Clients must not send a message body in a TRACE request.

Reading requests (intermediaries)

If the request contains a request body, return 413 (Payload Too Large).

If the request headers contain Max-Forwards: 0, then handle the request as the origin.

Otherwise the HTTP message should be forwarded as usual.

Reading requests (origin servers)

If the request contains a request body, return 413 (Payload Too Large).

If the request headers contain Max-Forwards: 0, then handle the request as the origin.

Otherwise the server should set Content-Type: message/http and write a response body listing the request-line and headers that were received. Servers are allowed to rewrite HTTP headers if the meaning is preserved, so the response may be reconstructed from available HTTP header information if the raw headers are not available to the application.

As a security precaution for old user agents, servers should return an error for requests containing an Origin header, such as 400 Client Error, or otherwise deny access to the resource, unless the server can determine the response does not leak any private credentials (for example, the response does not disclose any Authorization or Cookie headers).

Security concerns

Some user agents allow scripts to make requests with ambient authority: The user-agent will attach Authorization and Cookie headers not normally accessible to the calling script. If this request is made using TRACE, these request headers could be sent back and become accessible to the script. User agents should not send requests with ambient authority (since they are not being made on behalf of the user); if they must permit such requests, they must block the ability to send TRACE requests in this context.

Overview table

Name
TRACE
Description
Requests a the request message be written back in the response body.
Safeness
Safe, Idempotent
Conditional fail
Not applicable
Request payload
Prohibited
Response payload
Required
Cachable
Never
Specification
RFC 5789: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. 4.3.8. TRACE