Table of contents
- Directory Browsing / Listing
- Server Signature
- Server Tokens
- HTTP-Only and Secure Cookie
- Additional headers
Directory Browsing / Listing
Directory Browsing or Listing can expose sensitive information or documents to attackers. Sensitive information can be for example configuration files or other useful information or confidential data. To disable Directory Browsing or Listing, the module mod_autoindex can be disabled globally.
# a2dismod autoindex # systemctl restart apache2
Another option is to disable Directory Browsing or Listing per host or virtual host in a Directory Directive. In the Directory Directive the option -Index must be set. The Directory Directive is sent in the configuration file /etc/apache2/sites-enabled/site.conf.
<Directory /var/www/html/site> Options -Indexes </Directory>
The screenshot below shows the response of the Apache2 Web Server with Directory Browsing or Listing enabled and disabled:
The Server Signature contains information like Web Server version, running Operating System, IP address or Hostname and Port. This information can be used by an attacker to look for specific vulnerabilities of the Web Server or Operating System. The Server Signature can be disabled per host or virtual host in /etc/apache2/sites-enabled/site.conf configuration file.
The screenshot shows that the Server Signature is now disabled after applying this setting:
The Server Tokens are send in the HTTP response header and contain Information like Web Server version and running Operating System. This information can be used by an attacker to look for specific vulnerabilities of the Web Server or Operating System. The Server Tokens can be disabled in the /etc/apache2/conf-enabled/securty configuration file.
This screenshot shows only the Web Server, but not the version or Operating System is sent in the HTTP resonse header:
HTTP-Only and Secure Cookie
Header always edit Set-Cookie (.\*) "$1;HttpOnly;Secure"
Additional headers like Strict-Transport-Security or X-XSS-Protection can be tested at Scott Helme’s web site securityheaders.com. For every header the additional information explains what the specific header is doing and how the headers are implemented.