What Is the TRACE Method?
The TRACE HTTP method performs a message loop-back test. When a client sends a TRACE request, the server replies with the exact request it received. This helps developers see if proxies, firewalls, or gateways are modifying the message during transmission.
In other words:
➡️ TRACE lets you view your request exactly as the server receives it.
Why Is TRACE Used?
- Debugging intermediate layers
Useful for analyzing proxy server behavior. - Checking integrity of data
Ensures no modifications occur during transmission. - Testing request flow
Helps developers understand the exact route the request follows.
Security Concerns
Most production servers disable TRACE because it may expose sensitive headers (cookies, tokens).
The main vulnerability is:
🔐 Cross-Site Tracing (XST)
An attacker can trick browsers into sending TRACE requests and capture sensitive information.
Because of this risk:
- Browsers block TRACE from JavaScript
- Web servers often disable TRACE
TRACE Request Example
▶️ Client Request
TRACE /api/test HTTP/1.1
Host: example.com
User-Agent: DebugClient/1.0
Cookie: sessionToken=abc123
◀️ Server Response
HTTP/1.1 200 OK
Content-Type: message/http
TRACE /api/test HTTP/1.1
Host: example.com
User-Agent: DebugClient/1.0
Cookie: sessionToken=abc123
The server mirrors the incoming request.
When Should You Use TRACE?
👍 Suitable for:
- Debugging API gateways
- Inspecting proxy behavior
- Development environments
👎 Avoid in:
- Production environments
- Sensitive APIs
- Public-facing apps
Key Traits of TRACE
| Property | Value |
|---|---|
| Safe | Yes |
| Idempotent | Yes |
| Request Has Body | No |
| Response Has Body | Yes |
| Use Case | Debugging only |
