Secure Apache Configuration

Config in httpd.conf




1. Hide the Apache Version number, and other sensitive information.

   ServerSignature OffServerTokens Prod

   The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

   The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it toProd it sets the HTTP response header as follows:

   Server: Apache

2. Make sure apache is running under its own user account and group

   User apacheGroup apache

3. Ensure that files outside the web root are not served
   

   <Directory />Order Deny,AllowDeny from allOptions NoneAllowOverride None</Directory><Directory /web>Order Allow,DenyAllow from all</Directory>

4. Turn off directory browsing
   

   Options -Indexes

5. Turn off server side includes
   

   Options -Includes

6. Turn off CGI execution
   

   Options -ExecCGI

7. Don't allow apache to follow symbolic links
   

   Options -FollowSymLinks

8. Turning off multiple Options
   

   Turn off all Options:

   Options None

   Turn off some Options:

   Options -ExecCGI -FollowSymLinks -Indexes

9. Turn off support for .htaccess files
   

   AllowOverride None

10. Lower the Timeout value
    

    Timeout 45

11. Restricting Access by IP
    

    Order Deny,AllowDeny from allAllow from 127.0.0.1