This post explores some security configurations that Developers / DevOps engineer can consider when Apache server is used by the application.
The first thing to do is to identify the location of the httpd.conf file in the Apache server. This is the file where we will add the additional security settings to the server. Make sure ‘#’ is removed from the line “LoadModule headers_module modules/mod_headers.so”. Restart the server after the changes are made in order to see the effects.
Secure Cookie:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Note that if you are testing the localhost, Chrome browser will not display cookie because localhost is using http. Session cookie is used (In cookie expires, it should show session)
Cross-Frame Scripting (XFS) protection:
Header set Content-Security-Policy "frame-ancestors none;"
Header set X-Frame-Options: "DENY"
Preventing Information Disclosure about the server and language
The following setings will remove Apache Version information from the error messages and header response.ServerSignature Off
ServerTokens Prod
In php.ini config file, set expose_php as off to remove PHP version in the header response.
expose_php=Off
References:
- https://www.petefreitag.com/item/419.cfmhttps://geekflare.com/httponly-secure-cookie-apache/
- https://memorynotfound.com/remove-x-powered-by-php-from-http-response-header/#:~:text=Look%20for%20the%20expose_php%20attribute,from%20the%20HTTP%20Response%20Header.
- https://cloudblue.freshdesk.com/support/solutions/articles/44001883958-disabling-apache-http-server-indexing-of-icons-directory