TRACE

HTTP TRACE

SafeYes
IdempotentYes
CacheableNo
Request bodyNo
Response bodyYes

Overview

TRACE is a diagnostic method that echoes back how a request is transformed as it passes through proxies and gateways. The server returns the received request in the body (an echo).

Details

Use `Max-Forwards` to limit hops along the path. It is theoretically useful for debugging, but in practice most servers block TRACE with 405 due to a security risk (Cross-Site Tracing, XST).

Sensitive auth headers can be exposed in the echo, so disabling it in production is the standard recommendation.

Request / Response example

Request
TRACE / HTTP/1.1
Host: example.com
Max-Forwards: 2
Response
HTTP/1.1 200 OK
Content-Type: message/http

TRACE / HTTP/1.1
Host: example.com

In code

curl -X TRACE https://example.com/ -i   # 대개 405로 비활성화됨

Common mistakes

Typical status codes

Related methods

Related headers

ViaMax-Forwards