Skip to content

Configuring Security Headers in Apache

Views: 104

This post explores some security configurations that Developers / DevOps engineer can consider when Apache server is used by the application.

The first thing to do is to identify the location of the httpd.conf file in the Apache server. This is the file where we will add the additional security settings to the server. Make sure ‘#’ is removed from the line “LoadModule headers_module modules/mod_headers.so”. Restart the server after the changes are made in order to see the effects.

Secure Cookie:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Note that if you are testing the localhost, Chrome browser will not display cookie because localhost is using http. Session cookie is used (In cookie expires, it should show session)

Cross-Frame Scripting (XFS) protection:

Header set Content-Security-Policy "frame-ancestors none;"
Header set X-Frame-Options: "DENY"

Preventing Information Disclosure about the server and language

The following setings will remove Apache Version information from the error messages and header response.

ServerSignature Off
ServerTokens Prod

In php.ini config file, set expose_php as off to remove PHP version in the header response.

expose_php=Off

References:

  1. https://www.petefreitag.com/item/419.cfmhttps://geekflare.com/httponly-secure-cookie-apache/
  2. https://memorynotfound.com/remove-x-powered-by-php-from-http-response-header/#:~:text=Look%20for%20the%20expose_php%20attribute,from%20the%20HTTP%20Response%20Header.
  3. https://cloudblue.freshdesk.com/support/solutions/articles/44001883958-disabling-apache-http-server-indexing-of-icons-directory
Published inWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *