Dec 6, 2022 by Thibault Debatty | 1162 views
The example below provides some sound configuration parameters for Apache, to help protect your web application. These values can naturally be tweaked for your particular app.
With these parameters, we:
This is an OWASP recommendation: avoid the server to leak information via HTTP response headers. There is no doubt that anyone could still retrieve that information but at least, it will require a potential attacker to address specific requests in order to get it, making easier to detect the scan or attack through the logs.
Version control directories typically contain the source code of the application, and possibly configuration files and credentials. Normally they should be removed from the production server as part of the deployment process. If the deployment process is not correctly configured, these directives will block access to remaining version control directories.
iframes can be used to implement some kind of attacks like clickjacking attacks. The X-Frame-Options: "sameorigin"
header allows to prevent other sites from embedding pages from this site as frames.
Even if your website has HTTPS enabled, by default a web browser will first try to connect to the insecure (HTTP) version of the site (on port 80). Then it receives a ‘redirect’ response that instructs the browser to use the secure (https) version of the site. This creates a small window of vulnerability, that can be exploited. With the Strict-Transport-Security
header, we can instruct the browsers to always use the HTTPS version of the site, thus reducing the size of this vulnerability window.
Read more: https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts
MIME-type sniffing is a functionality found in some browsers that allows the browser to detect (sniff) the MIME-type of a downloaded file, to handle the file appropriately. But this feature can be exploited by a hacker to upload a specially crafted file, and execute code on the computer of the victim. The X-Content-Type-Options
header allows to disable MIME-type sniffing.
By default, when a browser sends a request, it sets the URL of the current page in the referrer
request header. This information can be used by a hacker to gain information about the structure of you web application, or to trigger special actions depending the pages visited by the victim. The Referrer-Policy
header allows to configure which information should be set by the browser in the referrer
request header.
Create a file called /etc/apache2/conf-available/99-harden.conf with the following content:
#
# https://cylab.be/blog/242/hardening-apache
#
### 1. Reduce server information leak
# ServerTokens configures what is returned as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
# https://httpd.apache.org/docs/2.4/en/mod/core.html#servertokens
ServerTokens Prod
# ServerSignature Configures the footer on server-generated documents
# like auto-generated index.html
# https://httpd.apache.org/docs/2.4/en/mod/core.html#serversignature
ServerSignature Off
# Determines the behavior on TRACE requests, which are nomaly used
# to debug the behavior of the web server
# https://httpd.apache.org/docs/2.4/en/mod/core.html#traceenable
TraceEnable Off
# X-Powered-By gives information about installed PHP version
Header always unset X-Powered-By
Header unset X-Powered-By
### 2. Block access to version control directories;
<DirectoryMatch "/\.svn">
Require all denied
</DirectoryMatch>
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>
### 3. Prevent other sites from embedding pages from this site as frames
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Header set X-Frame-Options: "sameorigin"
### 4. Enforce HTTPS
# Can be reset by applying "max-age=0"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Header set Strict-Transport-Security "max-age=31536000"
### 5. Prevent MIME-type sniffing by web browsers
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Header set X-Content-Type-Options: "nosniff"
### 6. Prevent information leak through the referrer header
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Header set Referrer-Policy "same-origin"
You can now enable the config with:
sudo a2enconf 99-harden
This blog post is licensed under CC BY-SA 4.0