When setting up a new Apache server to run your application, it’s always a good idea to setup some initial security settings as part of the process. Luckily, Apache comes with a default
security.conf file that can be enabled and updated to add basic hardening to your server.
After installing apache, you can enable the default security configuration using:
sudo a2enconf security
The above command line loads up the
security.conf file found in the
/etc/apache2/conf-available directory. This file can then be modified to add extra options to further harden your setup.
It’s generally a good idea to hide information about the specifics of your system, like the Apache or PHP version numbers, to make it difficult for attackers to exploit a known vulnerability. This can be achieved by changing the following two options in the
ServerTokens Prod ServerSignature Off
This will turn the server information from:
Server: Apache/2.4.29 (Ubuntu)
There are also default headers you can set for your application (making use of the
mod_headers mod for Apache) that will prevent your application from being iframed into other pages, preventing content sniffing and more. For most of the application I create, this is what my
security.conf tends to looks like:
Excellent. Do you have any tips for stopping people with no UA? giving them a 403 or something like that.
You can use
.htaccessfiles to show a 403 error or similar:
Fflag will show Forbidden 403, and the
Lflag means no further rewrites will be processed.