The HTTP TRACE method is a type of HTTP request that is used to perform a message loopback test on the path to the target resource.

Table of Contents


A HTTP request of this type is used for diagnostic purposes, and there is no message body. The final recipient in the path will echo the message that it received, excluding any fields that are likely to contain sensitive data. For example, a server will not echo HTTP headers that include stored credentials or Cookies.

The Max-Forwards HTTP header can be specified by the client to limit the maximum length of the HTTP request chain. In particular, this is useful for testing proxy servers that are circularly forwarding messages, causing an infinite loop. The server that responds will either be the origin server or the first one to receive a Max-Forwards HTTP header with a value of zero.

In response to HTTP TRACE, the server will return 200 OK with a Content-Type of message/http. The original HTTP request will be contained in the message body. If the Via HTTP header is included then it is important because it contains information about intermediaries and proxies.

When the Via HTTP header is present in an HTTP request then it means that there are intermediaries between the client and the server. Similarly, when the Via HTTP header is present in an HTTP response then there are intermediaries between the origin server and the client. For each intermediary, the Via HTTP header will include the HTTP protocol and HTTP protocol version that was used.


The HTTP TRACE method is often disabled in production servers to thwart certain types of attacks.


In this example, the client sends the HTTP TRACE command to the server to validate the HTTP Connection to the resource and determine what, if any changes are made by intermediaries. The server responds with 200 OK and a copy of the original HTTP request in the message body, as well as a list of proxy servers that it passed through in the Via HTTP header.




HTTP/1.1 200 OK
Via: 1.1, 1.1



The HTTP TRACE request method is used to determine what changes, if any, are made between the client and server in the HTTP request chain. It is useful for debugging routing errors. This HTTP method is safe and idempotent but not cacheable.

Last updated: August 8, 2023