Normally, the recipient of the request is the origin server; the TRACE message also goes back toward the client if the value of the Max-Forwards request header is zero (Max-Forward: 0).
Why use TRACE
After sending HTTP requests they leave the client and a human collect screen captures only a while after responses are already received. So, HTTP traces are to be collected for HTTP traffic recording if an investigation is needed.
TRACE-ing Risk
Processing a TRACE request skips authorization verification. This increases the risk of stealing information, including cookies and possibly website credentials.
