Securing Apache: security.conf

Securing Apache: security.conf

Posted by Peter Bassill on 01/07/2019

Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf:

ServerTokens Full
ServerSignature On
TraceEnable Off
FileETag None

# Do Header stuff
Header unset Pragma
Header unset ETag
Header always set x-xss-protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header set Referrer-Policy "no-referrer"

<IfModule mod_ssl.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
SSLProtocol ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On

<IfModule security2_module>
SecServerSignature "web"
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/activated_rules/*.conf

Contact us

  • Worklab, Europort, Gibraltar

  • +350 540 73836