By default Apache web server does not come with all the securities enabled. We have to enable enhanced securities before making it live & accessible to the outside world.
Remove Server Version Banner :
Modify httpd.conf and add following directives and save it :
Disable directory browser listing :
Edit httpd.conf, use following :
Disable Etags :
Run Apache from non-privileged account on Linux :
Create a user and group called apache :
# useradd –G apache apache.
Change apache installation directory ownership to newly created non-privileged user :
# chown –R apache:apache /opt/apache.
Protect apache binary and configuration directory permission :
# chmod –R 750 bin conf.
System Settings Protection :
Edit httpd.conf and match with below :
Disable Trace HTTP Request :
By default users can trace your server with commands but if you want to hide it you can disable tracing :
Clickjacking Attack :
To prevent other site owners to embed your website into an iframe add following directive in httpd.conf
Header always append X-Frame-Options SAMEORIGIN.
Cross Site Scripting (XSS) protection :
Header set X-XSS-Protection “1; mode=block”.
By default Apache timeout value is 300 seconds that you can change :
SSL Cipher : is an encryption algorithm and if you want that your server should only use high SSL encryption security level then change it like below :
Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below :
Disable SSL v2 :
According to https://www.sslshopper.com if your website uses SSL You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan. Strangely, most versions of Apache have SSL 2.0 enabled by default.
Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below to disable it :
SSLProtocol –ALL +SSLv3 +TLSv1.