Skip to content

Security hardening for Apache web server

1. Enable HTTPS (SSL)

It is highly recommended to use HTTPS (encrypted) communication rather than HTTP.

2. Disable deprecated SSL/TLS protocols, allow TLS v1.2 only

It is recommended to disable SSL version 3.0 protocol, and force clients to use more secure TLS v1.2

Edit file /etc/httpd/conf.d/ssl.conf (for Centos 7), locate the SSLProtocol line, if its commented out with a #, remove the hash (#) symbol and change it to the following:

SSLProtocol TLSv1.2

Now to increase the security strength we can also disable the weaker ciphers, located the SSLCipherSuite line, uncomment it and make it:

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA:!RC4:!3DES

3. Disable TRACE method

Add the following line to the end of file /etc/httpd/conf/httpd.conf:

TraceEnable off

4. Enable HTTP Strict Transport Security

The Strict-Transport-Security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.

All major modern browsers currently support HTTP strict transport security except for Opera Mini and versions previous of Internet Explorer.

Edit file /etc/httpd/conf.d/ssl.conf (for Centos 7), locate the line <VirtualHost _default_:443> and add the following lines there:

<VirtualHost _default_:443>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  </IfModule>

5. Hide version information from response.

By default, Apache sends back to clients a response that includes a description of the generic OS-type of the server as well as information about compiled-in modules, like Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2.

Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities, if they are not patched yet.

To hide the server version information, add the following line to the end of file /etc/httpd/conf/httpd.conf:

ServerTokens Prod

With these changes, a response from the web server will contain Server: Apache infoonly.

6. Reduce MIME type security risks

The following change helps prevent attacks based on MIME-type confusion.

Add the following line to the end of file /etc/httpd/conf/httpd.conf:

Header set X-Content-Type-Options "nosniff"

7. Enable X-XSS-Protection

The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari.

Add the following line to the end of file /etc/httpd/conf/httpd.conf:

Header set X-XSS-Protection "1; mode=block"

8. Configure X-Frame-Options

The X-Frame-Options header is designed to prevent site content embedded into other sites. It is recommended to use as a defence against Clickjacking attacks.

Add the following line to the end of file /etc/httpd/conf/httpd.conf:

Header set X-Frame-Options: "SAMEORIGIN"

9. Reload Apache configuration

Centos 7:

service httpd reload