When setting up a new Apache server to run your application, it’s always a good idea to setup some initial security settings as part of the process. Luckily, Apache comes with a default security.conf file that can be enabled and updated to add basic hardening to your server.
After installing apache, you can enable the default security configuration using:
sudo a2enconf securityThe above command line loads up the security.conf file found in the /etc/apache2/conf-available directory. This file can then be modified to add extra options to further harden your setup.
It’s generally a good idea to hide information about the specifics of your system, like the Apache or PHP version numbers, to make it difficult for attackers to exploit a known vulnerability. This can be achieved by changing the following two options in the security.conf file:
ServerTokens Prod
ServerSignature OffThis will turn the server information from:
Server: Apache/2.4.29 (Ubuntu)to just:
Server: ApacheThere are also default headers you can set for your application (making use of the mod_headers mod for Apache) that will prevent your application from being iframed into other pages, preventing content sniffing and more. For most of the application I create, this is what my security.conf tends to looks like:
Excellent. Do you have any tips for stopping people with no UA? giving them a 403 or something like that.
You can use
.htaccessfiles to show a 403 error or similar:RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteRule .* - [F,L]The
Fflag will show Forbidden 403, and theLflag means no further rewrites will be processed.