Web Niraj
  • Facebook
  • Flickr
  • Github
  • Linkedin
  • Twitter
  • YouTube
Online portfolio, code examples and developer blog
  • About
  • Contact
  • Portfolio
  • WordPress
Search the site...
  • Home
  • Blog
  • Hardening Apache Using Security Configuration

Hardening Apache Using Security Configuration

2

When setting up a new Apache server to run your application, it’s always a good idea to setup some initial security settings as part of the process. Luckily, Apache comes with a default security.conf file that can be enabled and updated to add basic hardening to your server.

After installing apache, you can enable the default security configuration using:

sudo a2enconf security

The above command line loads up the security.conf file found in the /etc/apache2/conf-available directory. This file can then be modified to add extra options to further harden your setup.

It’s generally a good idea to hide information about the specifics of your system, like the Apache or PHP version numbers, to make it difficult for attackers to exploit a known vulnerability. This can be achieved by changing the following two options in the security.conf file:

ServerTokens Prod
ServerSignature Off

This will turn the server information from:

Server: Apache/2.4.29 (Ubuntu)

to just:

Server: Apache

There are also default headers you can set for your application (making use of the mod_headers mod for Apache) that will prevent your application from being iframed into other pages, preventing content sniffing and more. For most of the application I create, this is what my security.conf tends to looks like:

Apache, Hardening, Security

2 comments on “Hardening Apache Using Security Configuration”

  1. Doug says:
    September 21, 2020 at 6:12 PM

    Excellent. Do you have any tips for stopping people with no UA? giving them a 403 or something like that.

    Reply
    • Niraj Shah says:
      September 23, 2020 at 3:33 PM

      You can use .htaccess files to show a 403 error or similar:

      RewriteCond %{HTTP_USER_AGENT} ^-?$
      RewriteRule .* - [F,L]
      

      The F flag will show Forbidden 403, and the L flag means no further rewrites will be processed.

      Reply

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

StackExchange / StackOverflow

profile for Niraj Shah on Stack Exchange, a network of free, community-driven Q&A sites

PSN Profile

Tags

Amazon Web Services Android Android 4.4 KitKat Android 5.0 Lollipop Apache API Application Backup Bug Command Line Cordova Example Facebook Facebook Graph API Facebook PHP SDK 4.0 Facebook Social Plugins Fan Page Flash Geolocation Google Nexus 5 Google Nexus One Hacking HTML5 Image Manipulation iOS iPhone JavaScript jQuery Laravel 5 Linux NodeJS Parse PDF PHP Plugin Portfolio Review Security Server SSH SSL Sysadmin Tutorial WordPress WordPress Plugins
© 2011-2022 Niraj Shah
  • Blog
  • Portfolio
  • WordPress
  • About Me
  • Contact Me
  • Privacy Policy
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Privacy Policy