Securing Apache httpd


These steps below will help you secure your Apache httpd webserver and VirtualHosts against various types of threats or attacks.

Purpose & Scope

The purpose of this document is to help you identify problem areas or areas of concern that deserve proper attention and consideration in your policy.

Most of the directives below are part of the Apache httpd mod_headers module.

  1. Avoid Access-Control-Allow-Origin: *
  2. It is not uncommon for a modern website to include content delivered from another domain. For example, your website might include your recent Facebook posts, or what you recently posted on Twitter. Facebook and Twitter serve this content through their public API‍s. A specification called Cross Origin Resource Sharing (CORS) is often used as part of the process.

    You also might provide an API to content or resources on your server. Your API might allow for POST, PUT or DELETE requests. These methods are able to add, change or delete content on your database or web-server.

    Do not use wide open configurations like this:

    Instead use something more specific like this:

  3. Establish a Cross-Domain Meta Policy
  4. Disallow others from using your content in their sites.

  5. Prohibit MIME Sniffing
  6. MIME-sniffing provides an attack vector that malicious people can use to have the web-browser execute embedded scripts in specially crafted resources. Disable this to prevent these attacks.

  7. Remove Server Identifier
  8. In the HTTP headers that your web-server returns with each web-page (or asset) there is probably a string that looks similar to this:
    Server: Apache/2.2.17 (Fedora)

    That innocent looking string tells the hacker what web-server software they’re dealing with (Apache), what the version of that software is (2.2.17) and even what operating system is running on the web-server (Fedora). The problem here is that you’re giving away too much information.

    It’s much better to not reveal this information if we can help it.

    Method #1

    ServerTokens and ServerSignature Directives – This method should be added top your main configuration file /etc/httpd/conf/httpd.conf or at the top of the VirtualHost file /etc/httpd/conf.d/vhosts.conf

    note: The most restrictive setting here still sends the webserver software but does not send operating system or software versions.
    ServerTokens Prod
    Server sends (e.g.): Server: Apache

    Method #2

    mod_security – This method will completely remove all information.

    This method requires the use of mod_security and is no light subject, if you plan to implement this, read the docs on mod_security before continuing with this step, mod_secuity can break your website if not configured properly

  9. Remove X-Powered-By
  10. Like the Server Identifier, PHP will also send its version in the response header, again, giving away too much information about the server.
    X-Powered-By: PHP/5.5.30

  11. Enable Strict MSIE XSS Protection
  12. Microsoft’s Internet Explorer (MSIE) software has integrated protection against XSS attacks. You can instruct MSIE browsers in how to behave when they encounter a suspected XSS attack. The most secure protection is to totally block a suspect website.

  13. Prohibit Content Framing
  14. Clickjacking is an attack where the hacker instructs the web-browser to render your website content beneath an invisible layer that has malicious click destinations overlaid atop your links.

  15. Content Security Policy
  16. A Content Security Policy (CSP) is a set of directives in your webserver configuration that govern content. They dictate what type of content you may use on your website and from which sources it may originate. The fine-grained control offered by a good CSP rule-set is probably the best defense against XSS and data injection attacks that you can achieve. These attacks are used for everything from data theft to site defacement or distribution of malware. Furthermore, all modern browsers are able to parse and act on a CSP.

    Content Security Policy (CSP) is complex and can take time to understand, configure and test. You should read the Mozilla Developer Network documents on CSP before implementing any rulesets.

    Covered types are:

    • JavaScript
    • CSS
    • HTML frames
    • web workers
    • fonts
    • images

    Embeddable objects such as:

    • Java applets
    • ActiveX
    • audio and video files
    • other HTML5 features

    Highly restrictive ruleset:

  17. Implement SSL/TLS
  18. See this document on setting up SSL / TLS.

  19. Strict Transport Security (HSTS)
  20. To avoid MITM (man-in-the-middle) attacks where a user hijacks the communication stream during the process, which is possible for a split second during a redirect from http -> https, enable HSTS (this setting will cause problems with non-ssl subdomains, remove includeSubdomains;) below:

  21. Disable access to wp-config.php
  22. Disable access to xmlrpc.php
  23. Disable access to .htaccess
Last Modified: 21 Apr, 2020 at 14:38:04