Some security settings for Apache Web Server

Table of contents

  1. Directory Browsing / Listing
  2. Server Signature
  3. Server Tokens
  4. HTTP-Only and Secure Cookie
  5. Additional headers

Directory Browsing / Listing

Directory Browsing or Listing can expose sensitive information or documents to attackers. Sensitive information can be for example configuration files or other useful information or confidential data. To disable Directory Browsing or Listing, the module mod_autoindex can be disabled globally.

    # a2dismod autoindex
    # systemctl restart apache2

Another option is to disable Directory Browsing or Listing per host or virtual host in a Directory Directive. In the Directory Directive the option -Index must be set. The Directory Directive is sent in the configuration file /etc/apache2/sites-enabled/site.conf.

    <Directory /var/www/html/site>
        Options -Indexes

The screenshot below shows the response of the Apache2 Web Server with Directory Browsing or Listing enabled and disabled:

Apache2: Disable Directory Browsing

Server Signature

The Server Signature contains information like Web Server version, running Operating System, IP address or Hostname and Port. This information can be used by an attacker to look for specific vulnerabilities of the Web Server or Operating System. The Server Signature can be disabled per host or virtual host in /etc/apache2/sites-enabled/site.conf configuration file.

    ServerSignature Off

The screenshot shows that the Server Signature is now disabled after applying this setting:

Apache2: Disable Server Banner

Server Tokens

The Server Tokens are send in the HTTP response header and contain Information like Web Server version and running Operating System. This information can be used by an attacker to look for specific vulnerabilities of the Web Server or Operating System. The Server Tokens can be disabled in the /etc/apache2/conf-enabled/securty configuration file.

    ServerTokens Prod

This screenshot shows only the Web Server, but not the version or Operating System is sent in the HTTP resonse header:

Apache2: Limit Server Tokens

HTTP-Only and Secure Cookie

To prevent session fixation attacks the session cookie must be secured. This can be done by setting the cookie to Http-Only and to Secure. Secure enforces the Web server to deliver the cookie only over an encrypted HTTPS connection to the Browser. Http-Only ensures the cookie can only be accessed by the Web server and not, for example, the JavaScript function Document.cookie(). Note: I’m not using any first or third party cookies on my web site.

    Header always edit Set-Cookie (.\*) "$1;HttpOnly;Secure"

Additional headers

Additional headers like Strict-Transport-Security or X-XSS-Protection can be tested at Scott Helme’s web site For every header the additional information explains what the specific header is doing and how the headers are implemented.