Apache Security – 10 Tips for a Secure Installation

1. Disable the server-info Directive

If the directive in the httpd.conf configuration file is enabled, you can see information about the Apache configuration by accessing the /server-info page (for example, ). This could potentially include sensitive information about server settings such as the server version, system paths, database names, library information, and so on.

For example, /server-info exposes the Apache version along with the OpenSSL version. In the past, an attacker could use this information to find out whether the server uses a version of OpenSSL that is vulnerable to the Heartbleed bug.

You can disable this directive by commenting out the entire mod_info module in the httpd.conf Apache configuration file:

2. Disable the server-status Directive

When enabled, the directive lists information about server performance, such as server uptime, server load, current HTTP requests, and client IP addresses. An attacker may use this information to craft an attack against the web server.

You can disable this directive by commenting it out in the httpd.conf Apache configuration file:

3. Disable the ServerSignature Directive

The ServerSignature directive adds a footer to server-generated documents. This footer includes information about your Apache configuration such as the version of Apache and the operating system. To restrict Apache from displaying this sensitive information, you need to disable this directive in your httpd.conf Apache configuration file:

4. Set the ServerTokens Directive to Prod

The ServerTokens directive controls the information that is sent back in the Server response header field. You can use different syntaxes in this directive, as listed in the Apache ServerTokens documentation. The ServerTokens directive should be set to Prod in order to instruct Apache to return only Apache in the server response headers. This can be done by including the following directive in your httpd.conf Apache configuration file:

5. Disable Directory Listing

Directory listing lets you view complete directory contents. If this option is enabled, an attacker can simply discover and view any file. This could potentially lead to the attacker decompiling and reverse engineering an application in order to obtain the source code. They can then analyze the source code for possible security flaws or obtain more information about an application, such as database connection strings, passwords to other systems, etc. You can disable directory listing by setting the Options directive in the Apache httpd.conf file:

6. Enable Only the Required Modules

A default installation of the Apache HTTP server may include many pre-installed and enabled modules that you do not need. To add insult to injury, some web server administrators have a tendency to take the path of least resistance and enable all the remaining modules in httpd.conf, so as to ensure that everything works without a hitch. This, however, also opens up the Apache server to any security issues that might exist or be discovered in the future for the enabled modules.

The Apache module documentation lists and explains all the modules available for Apache. Research the modules that you have enabled and make sure that they are really required for the functionality of the website. Unnecessary modules should be disabled by commenting out a specific LoadModule line.

7. Use An Appropriate User and Group

By default, Apache runs under the daemon user and group. However, it is best practice to run Apache using a non-privileged account. Furthermore, if two processes (such as Apache and MySQL) are running using the same user and group, issues in one process might lead to exploits in the other process. To change Apache user and group, you need to change the User and Group directives in the Apache httpd.conf configuration file.

8. Restrict Unwanted Services

To secure Apache, you may want to disable certain services, such as CGI execution and symbolic links, if these are not needed. You can disable these services using the Options directive in the httpd.conf configuration file and you may also disable these services for a particular directory only. The below example shows what you need to include in your httpd.conf configuration file to disable CGI script execution, symbolic links, and server-side includes for your web server root directory and its subdirectories.

9. Use the ModSecurity WAF

ModSecurity is an open-source module that works as a web application firewall. Different functionalities include filtering, server identity masking, and null-byte attack prevention. This module also lets you perform real-time traffic monitoring.

We recommend that you follow the ModSecurity manual to install mod_security to improve your web server security and protect against a multitude of attacks including distributed denial of service attacks (DDOS). You can also temporarily use ModSecurity to protect against certain attacks like SQL Injection and Cross-site Scripting until vulnerabilities are fixed by the developer.

10. Enable Logging

Apache logging provides detailed information about client requests made on your web server, hence enabling such logging will prove useful when investigating the cause of particular issues. In order to enable logging the mod_log_config module needs to be included from the Apache httpd.conf file. This module provides the TransferLog, LogFormat, and CustomLog directives which are respectively used to create a log file, specify a custom format, and creating and formatting a log file in one step. As seen below, the LogFormat directive is used to specify a custom logging format – in this case the referrer and browser of each request are logged along with the default logging parameters. Then, the CustomLog directive will be used to instruct Apache to use this logging format.