Basic Apache Security Recipes

There are some (very basic) tunables that should be modified to improve the overall security of your default apache installation.

I only specify parameters I recommend to change.

Server Config

Don't expose too much information and fix some issues:

# [...]
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory 
# listings, mod_status and mod_info output etc., but not CGI generated 
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off
# Security Fix (PCI)
# Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
TraceEnable Off
# Security Fix (PCI)
# Apache Web Server ETag Header Information Disclosure Weakness
FileETag MTime Size

Adjust the ciphers allowed, disable weak ciphers and protocols:

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
# Source: | Intermediate | Version 3.3
# Retrieved: 2014-10-24
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off

Secure Your .git Directories and Make Them Inaccessible Via Apache

If you happen to have .git directories anywhere in your docroot, you can secure them like so:

# add the following to your VirtualHost Section(s) and don't forget your SSL-VirtualHosts!

RedirectMatch 404 /\.git

This will throw an 404 - Not Found Error, even if such a directory exists anywhere within your docroot.
As a benefit, it will even work for your .gitignore files


If PHP is used, make sure you have the following in your php.ini (default is on):

expose_php = Off
apache/security.txt · Last modified: 2015-11 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready