Hardening Apache

Dec 6, 2022 by Thibault Debatty | 229 views

Secure Software Development

https://cylab.be/blog/242/hardening-apache

The example below provides some sound configuration parameters for Apache, to help protect your web application. These values can naturally be tweaked for your particular app.

With these parameters, we:

  1. Reduce server information leak;
  2. Block access to version control directories;
  3. Prevent other sites from embedding pages from this site as frames;
  4. Enforce HTTPS;
  5. Prevent MIME-type sniffing by web browsers and;
  6. Prevent information leak through the referrer header.

1. Reduce server information leak

This is an OWASP recommendation: avoid the server to leak information via HTTP response headers. There is no doubt that anyone could still retrieve that information but at least, it will require a potential attacker to address specific requests in order to get it, making easier to detect the scan or attack through the logs.

2. Block access to version control directories

Version control directories typically contain the source code of the application, and possibly configuration files and credentials. Normally they should be removed from the production server as part of the deployment process. If the deployment process is not correctly configured, these directives will block access to remaining version control directories.

3. Prevent other sites from embedding pages from this site as frames

iframes can be used to implement some kind of attacks like clickjacking attacks. The X-Frame-Options: "sameorigin" header allows to prevent other sites from embedding pages from this site as frames.

4. Enforce HTTPS

Even if your website has HTTPS enabled, by default a web browser will first try to connect to the insecure (HTTP) version of the site (on port 80). Then it receives a 'redirect' response that instructs the browser to use the secure (https) version of the site. This creates a small window of vulnerability, that can be exploited. With the Strict-Transport-Security header, we can instruct the browsers to always use the HTTPS version of the site, thus reducing the size of this vulnerability window.

Read more: https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts

5. Prevent MIME-type sniffing by web browsers

MIME-type sniffing is a functionality found in some browsers that allows the browser to detect (sniff) the MIME-type of a downloaded file, to handle the file appropriately. But this feature can be exploited by a hacker to upload a specially crafted file, and execute code on the computer of the victim. The X-Content-Type-Options header allows to disable MIME-type sniffing.

6. Prevent information leak through the referrer header

By default, when a browser sends a request, it sets the URL of the current page in the referrer request header. This information can be used by a hacker to gain information about the structure of you web application, or to trigger special actions depending the pages visited by the victim. The Referrer-Policy header allows to configure which information should be set by the browser in the referrer request header.

referrer-header.png

Configuration

Create a file called /etc/apache2/conf-available/99-harden.conf with the following content:

#
# https://cylab.be/blog/242/hardening-apache
#

### 1. Reduce server information leak

# ServerTokens configures what is returned as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
# https://httpd.apache.org/docs/2.4/en/mod/core.html#servertokens
ServerTokens Prod

# ServerSignature Configures the footer on server-generated documents
# like auto-generated index.html
# https://httpd.apache.org/docs/2.4/en/mod/core.html#serversignature
ServerSignature Off

# Determines the behavior on TRACE requests, which are nomaly used
# to debug the behavior of the web server
# https://httpd.apache.org/docs/2.4/en/mod/core.html#traceenable
TraceEnable Off

# X-Powered-By gives information about installed PHP version
Header always unset X-Powered-By
Header unset X-Powered-By

### 2. Block access to version control directories;
<DirectoryMatch "/\.svn">
   Require all denied
</DirectoryMatch>

<DirectoryMatch "/\.git">
   Require all denied
</DirectoryMatch>

### 3. Prevent other sites from embedding pages from this site as frames
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Header set X-Frame-Options: "sameorigin"

### 4. Enforce HTTPS
# Can be reset by applying "max-age=0"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Header set Strict-Transport-Security "max-age=31536000"

### 5. Prevent MIME-type sniffing by web browsers
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Header set X-Content-Type-Options: "nosniff"

### 6. Prevent information leak through the referrer header
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Header set Referrer-Policy "same-origin"

You can now enable the config with:

sudo a2enconf 99-harden
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept