How to Secure an Apache Web Server?

Securing an Apache HTTP Server is a critical step in protecting your web applications and user data from malicious attacks. By default, Apache is configured for flexibility and ease of use rather than maximum security. This article provides a comprehensive guide to hardening your Apache installation, covering essential practices such as hiding server information, disabling unnecessary modules, implementing robust SSL/TLS configurations, and configuring protective HTTP headers.

Minimize Information Disclosure

One of the easiest ways to deter attackers is to limit the amount of information your server publicly broadcasts about its software and operating system. By default, Apache often reveals its version number and modules in error pages and HTTP response headers.

ServerTokens Prod
ServerSignature Off

Disable Unnecessary Modules and Features

A standard Apache installation includes numerous pre-enabled modules and features that you may not actually need. Each active module increases the server’s attack surface and consumes system resources.

Turn Off Directory Browsing

If a directory does not contain an index file (like index.html), Apache may display a list of all files within that directory. This can expose sensitive source code or data configuration files. Ensure the Indexes option is disabled by adding a minus sign before it.

<Directory /var/www/html>
    Options -Indexes +FollowSymLinks
</Directory>

Disable Unused Modules

Review your httpd.conf or module configuration files and comment out modules that your applications do not require, such as mod_imap, mod_info, mod_userdir, or mod_autoindex.

Implement Robust SSL/TLS Settings

Encrypting data in transit is non-negotiable for modern web security. However, simply enabling HTTPS is not enough; you must ensure that your configuration uses strong protocols and ciphers.

Enforce Modern Protocols

Disable outdated and vulnerable protocols like SSLv2, SSLv3, TLS 1.0, and TLS 1.1. Configure Apache to only accept TLS 1.2 and TLS 1.3 connections.

Optimize Cipher Suites

Define a secure list of cipher suites that prioritizes forward secrecy and strong encryption algorithms, while explicitly rejecting weak ciphers (such as those using RC4 or 3DES).

SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

Configure Security-Focused HTTP Headers

You can instruct user browsers to handle your site’s content more securely by implementing specific HTTP response headers. These can be added using the mod_headers module.

HTTP Strict Transport Security (HSTS)

HSTS forces browsers to connect to your website exclusively over HTTPS, preventing man-in-the-middle protocol downgrade attacks.

X-Frame-Options

This header protects your users against clickjacking attacks by preventing your site’s content from being embedded into frames or iframes on unauthorized external sites.

Content Security Policy (CSP)

A strong CSP helps mitigate Cross-Site Scripting (XSS) and data injection attacks by restricting the origins from which the browser is allowed to load resources (such as scripts, images, and stylesheets).

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"

Protect the Root Directory and Restrict Access

Securing the file system structure prevents users from accessing core operating system files through the web server. Your default policy should be to deny all access to the file system, and then explicitly grant access only to the specific directories meant for public viewing.

<Directory />
    AllowOverride None
    Require all denied
</Directory>

<Directory /var/www/html>
    AllowOverride None
    Require all granted
</Directory>

Setting AllowOverride None ensures that users cannot bypass your global security configurations using localized .htaccess files unless you explicitly permit it for specific directories.