Securing Apache2 and how to secure your apache config


Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf

Securing Apache2 and how to secure your apache config

Posted on 2019-07-01 by Peter Bassill in category Guides.


Guides   Apache  


Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf:


ServerTokens FullServerSignature OnTraceEnable OffFileETag None<# Do Header stuffHeader unset Pragma>Header unset ETagHeader always set x-xss-protection "1; mode=block"Header always append X-Frame-Options SAMEORIGINHeader always set X-Content-Type-Options nosniffHeader set Referrer-Policy "no-referrer" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" SSLCipherSuite HIGH:!MEDIUM:!RSA:!aNULL:!MD5:!SEED:!IDEA SSLProtocol ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 SSLHonorCipherOrder On SecServerSignature "web" Include /usr/share/modsecurity-crs/*.conf Include /usr/share/modsecurity-crs/activated_rules/*.conf


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?