Apache web server hardening and security guide

Click for: original source

The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network; hence it becomes one of the most vulnerable services to attack. A practical guide to secure and harden Apache HTTP Server. By Chandan Kumar.

Having default configuration supply much sensitive information which may help hacker to prepare for an attack of the applications. The majority of web application attacks are through XSS, Info Leakage, Session Management and SQL Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure.

Practical advise in the article contains:

  • Remove server version banner
  • Disable directory browser listing
  • Etag
  • Run Apache from a non-privileged account
  • Protect binary and configuration directory permission
  • System settings protection
  • HTTP request methods
  • Disable trace HTTP request
  • Set cookie with HttpOnly and secure flag
  • X-XSS protection
  • Mod security

… and more. The article is great helper tool for middleware administrator, application support, system analyst, or anyone working or eager to learn Hardening & Security guidelines. Good read!

[Read More]

Tags apache web-development cloud software-architecture infosec