Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
Securing Apache: security.conf

Securing Apache: security.conf

Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf:

ServerTokens Full
ServerSignature On
TraceEnable Off
FileETag None

# Do Header stuff
Header unset Pragma
Header unset ETag
Header always set x-xss-protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header set Referrer-Policy "no-referrer"

<IfModule mod_ssl.c>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 SSLCipherSuite HIGH:!MEDIUM:!RSA:!aNULL:!MD5:!SEED:!IDEA
 SSLProtocol ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
 SSLHonorCipherOrder On
</IfModule>

<IfModule security2_module>
 SecServerSignature "web"
 Include /usr/share/modsecurity-crs/*.conf
 Include /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter