When setting up a new Apache server to run your application, it’s always a good idea to setup some initial security settings as part of the process. Luckily, Apache comes with a default security.conf
file that can be enabled and updated to add basic hardening to your server.
After installing apache, you can enable the default security configuration using:
sudo a2enconf security
The above command line loads up the security.conf
file found in the /etc/apache2/conf-available
directory. This file can then be modified to add extra options to further harden your setup.
It’s generally a good idea to hide information about the specifics of your system, like the Apache or PHP version numbers, to make it difficult for attackers to exploit a known vulnerability. This can be achieved by changing the following two options in the security.conf
file:
ServerTokens Prod
ServerSignature Off
This will turn the server information from:
Server: Apache/2.4.29 (Ubuntu)
to just:
Server: Apache
There are also default headers you can set for your application (making use of the mod_headers
mod for Apache) that will prevent your application from being iframed into other pages, preventing content sniffing and more. For most of the application I create, this is what my security.conf
tends to looks like: