WhiteHat Security, perhaps in an attempt to make themselves appear important, or, perhaps because they really thought it was true, released a security alert a few days ago. You can read it HERE (http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt)
In summary, here it is.
HTTP provides a TRACE method, for debugging purposes. When you send a TRACE request, you get it back, including the message body, headers, etc.
WhiteHat’s security alert said that when you send a TRACE request, you get it back, including the message body, headers, etc.
Pretty scary, huh?
So, basically, they are saying what the rest of us have known since 1992. After all, it is in the HTTP specification, and you have read that, right?
Apparently, they think that you should not be able to get at information that you just sent to the server. It is secret or something.
So, folks, if you are in a panic about TRACE, you might want to read http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=104333761011676&w=2 which talks about it a little more scientifically than I have, and explains why it is a bunch of hogwash. You can feel free to disable TRACE on your Apache server if you really want to, but it won’t gain you anything other than a false sense of security.