IIS
<httpHandlers>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
<authorization>
<deny verbs="TRACE" users="*" />
</authorization>
APACHE
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Flags are set ? i.e. [F] for forbidden request, [R] for redirecting the page, likewise.
Note: by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.
Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.
webapps/theAPP/WEB-INF/web.xml
// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>