LINUXMAKER, OpenSource, Tutorials

Many web servers and their web applications run with default configurations. It will miss the chance to protect yourself and your visitors better from attacks. Only a few settings expect a really deep knowledge of their function and thus allows most administrators to easily run a neatly robust web server.

Unfortunately, the configurations are all structured differently in the distributions, i. you should have already got to know the Apache server. Finally, you have an Apache configuration, which is located at Debian and Ubuntu under /etc/apache2/apache2.conf respectively explicitly in /etc/apache2/conf-available/security.conf. For RedHat/CentOS, the files are located at /etc/httpd/conf.d/httpd.conf. There should be only Apache relevant settings, no module configurations! The module configurations, such as TLS, caching, FCGI, etc. are usually done in their own configurations. But not all necessary settings are forced to be done in these files, but can also be deposited in a VirtualHost specifically for a domain-aware subdomian.

Apache Header

By default, Apache always sends its version number and, if necessary, the modules to the outside via the header. This is the simplest invitation for attackers and should be turned off. With the option "server token", the output can be controlled. Therefore sets the server token to "Prod", which reduces the service's header to the "Apache" output. The version of the Apache can still be determined by tools, it only makes the detection more difficult and reduces "DriveBy" attacks.

Servertoken Prod

Apache Signature

Completely unnecessary is the option "ServerSignature". It also outputs version numbers and, if required, even the e-mail address of the stored ServerAdmin. You should also stop this issue here.

ServerSignature off


The option TRACE is used for test and diagnostic requests in proxy mode and has nothing to search on public networks. If you want to use the service, then you should explicitly secure it.

TraceEnable off


If the Apache is used as an internal proxy or if the proxy module is activated, the option "ProxyRequest" should be deactivated. Otherwise, the Apache is used as an open proxy and foreign content from the network are delivered by Apache.

ProxyRequest off


Status is a module that makes no sense on a production server. For example, you can use the module to read session data and should only be used with security on public web servers. Otherwise it should be disabled if the MOdul nihct is explicitly needed. The normal operation of the web server is not affected.

a2dismod status


Standard installations usually do not have TLS enabled. When activated, the protocol usually has a much too high encryption tolerance, which makes little sense. This short VirtualHost entry shows the usage

# SSL SSLEngine on SSLProxyEngine on SSLHonorCipherOrder On # SSL - Protokoll/Chipher SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLCertificateFile /etc/apache2/ssl/<zertifikat>.crt SSLCACertificateFile /etc/apache2/ssl/<zertifikat>.bundle SSLCertificateKeyFile /etc/apache2/ssl/<zertifikat>.key

The own configuration can be tested under SSL Labs testen.


HTTP Strict Transport Security can be used to specify whether the client / browser should only reach the domain via TLS. After the first connection to the server, the HSTS option is set in the client. Even if an HTTP URL of the domain is now opened, it will automatically switch to HTTPS on the client side. This option reduces the possibility of being offered a fake page to the client via DNS manipulation. This option also requires the header module.

Header always append Strict-Transport-Security "max-age=31536000 includeSubDomains;"

With the option one should act cautious, since these in the global context all web pages on an Apache force to offer a TLS configuration. If this is not the case, the client will acknowledge the connection with an error. If you have some domains in different configuration on your server, you can place the header directive in a virtual host. The last option in the above header statement "includeSubDomains", should be set wisely - it is optional.

The function HSTS even goes one step further: With the option "preload" and an entry on HSTSpreload, the domain is stored in an HSTS preload list of the browser - Thus the domain, for browsers, can only be reached via HTTPS.

HTTPOnly Cookie

Damit gesetzte Cookies nicht von Scripten genutzt werden können, kann man im Apache einen entsprechenden Header setzen. Man reduziert damit merklich die Möglichkeit eines XSS Angriffs.

Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"


Online Certificate Status Protocol checks whether the certificate delivered by the server is still valid. If this is not the case, a corresponding message is sent to the client. The certificate is checked by the web server itself directly at the CA issuer via HTTP. If necessary, the firewall needs another RuleSet for the OCSP protocol.

SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:${APACHE_LOG_DIR}/ocsp(128000)


With this option you can prevent your own page and parts of it from being displayed in frames. This prevents the display of your own page under a different domain. This security option is enabled in almost all newer browsers, but can be specifically bypassed. It is a security feature for the browser user. This option also requires the header module.

Header always append X-Frame-Options SAMEORIGIN;

There are the following options:
DENY - It is forbidden to display the page in a frame.
SAMEORIGIN - Only your own domain is allowed.
ALLOW-FROM - Indicate which domain this is allowed.


This option tells the browser (Internet Explorer and Chrome) that it is e.g. CSS files should only be used as such if the file also corresponds to the corresponding MIME type "text / css" - this also applies to scripts.

Header set X-Content-Type-Options: "nosniff"