The Web Server is a crucial part of web-based applications. Having misconfigured and the default configuration can expose sensitive information, and that’s a risk. As a website owner or administrator, you should regularly perform security scans against your website to find for online threats so you can take action before a hacker does. Let’s go through essential configurations to keep your Apache webserver. Following all configuration is in httpd.conf of your apache instance. Note: take a backup of the necessary configuration file before modification, so restoration is easy when things go wrong.

Disable Trace HTTP Request

The default TraceEnable on permits TRACE, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client. TraceEnable on allows for Cross-Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution

You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

Run as separate User & Group

By default, Apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution

Running Apache in its own non-root account is good. Modify User & Group Directive in httpd.conf of your Apache Web Server

Disable Signature

The Off setting, which is the default, suppresses the footer line. The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

Disable Banner

This directive controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution

Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf

Solution

Give the network address in the Allow directive. Give the IP address in the Allow directive.

Use only TLS 1.2

SSL 2.0, 3.0, TLS 1, 1.1 reportedly suffers from several cryptographic flaws. Need help with configuring SSL? refer to this guide.

Solution

Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes” OR

Remove unnecessary DSO Modules

Verify your configuration to remove redundant DSO modules. There are many modules activated by default after installation. You can remove which you don’t need.

Disable Null and Weak Ciphers

Allow only strong ciphers, so you close all the doors who try to handshake on lower cipher suites.

Solution

Stay Current

As Apache is an active open-source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache. Above are just a few of the essential configuration, and if you are looking for in-depth, then you can refer my step-by-step security & hardening guide.

10 Best Practices To Secure and Harden Your Apache Web Server - 8510 Best Practices To Secure and Harden Your Apache Web Server - 7010 Best Practices To Secure and Harden Your Apache Web Server - 7910 Best Practices To Secure and Harden Your Apache Web Server - 6610 Best Practices To Secure and Harden Your Apache Web Server - 2910 Best Practices To Secure and Harden Your Apache Web Server - 1610 Best Practices To Secure and Harden Your Apache Web Server - 910 Best Practices To Secure and Harden Your Apache Web Server - 8110 Best Practices To Secure and Harden Your Apache Web Server - 7510 Best Practices To Secure and Harden Your Apache Web Server - 5310 Best Practices To Secure and Harden Your Apache Web Server - 6610 Best Practices To Secure and Harden Your Apache Web Server - 7410 Best Practices To Secure and Harden Your Apache Web Server - 3110 Best Practices To Secure and Harden Your Apache Web Server - 9110 Best Practices To Secure and Harden Your Apache Web Server - 9710 Best Practices To Secure and Harden Your Apache Web Server - 8510 Best Practices To Secure and Harden Your Apache Web Server - 6810 Best Practices To Secure and Harden Your Apache Web Server - 7210 Best Practices To Secure and Harden Your Apache Web Server - 5110 Best Practices To Secure and Harden Your Apache Web Server - 9810 Best Practices To Secure and Harden Your Apache Web Server - 6210 Best Practices To Secure and Harden Your Apache Web Server - 2710 Best Practices To Secure and Harden Your Apache Web Server - 12