Easy Security Improvements for Apache Websites
Some key security measures, such as using TLS encryption (https://) are taken for granted. Others are often missed until they are flagged by a security scan.
Here are two easy changes that have helped some of our clients reduce perceived vulnerabilities. These changes, typically made in the Apache web server’s httpd.conf files, may stop unnecessary exposure of web server information, as well as satisfying security scanners.
Disable trace and track
Security scanners may flag the TRACE and TRACK HTTP methods as insecure. Documentation for the Apache web server states: “…enabling the TRACE method does not expose any security vulnerability in Apache httpd,” but we may as well disable it when not needed.
TRACE
To disable the TRACE method, add TraceEnable Off to the web configuration and restart your web server instance.
TraceEnable Off
After restarting your web server, you can confirm that TRACE is disabled by running this command:
curl -v -X TRACE https://mysite.com
Output from the TRACE method should now contain the message:
HTTP/1.1 405 Method Not Allowed
TRACK
Apache never allowed TRACK, which exists only in old versions of Windows IIS. No action is needed to disable TRACK, even though some security scanners refer to “TRACE/TRACK” together.
You can confirm that TRACK is unavailable by running this command:
curl -v -X TRACK https://mysite.com
Output from the TRACK method should contain the message:
HTTP/1.1 501 Not Implemented
Conceal .htaccess files
To prevent exposure of .htaccess configuration files, which could reveal sensitive file system information, you can add the following directives in httpd.conf, then restart your web server instance:
1 2 3 |
<Files .htaccess> Require all denied </Files> |
Now you can confirm that access to .htaccess is blocked by attempting to access its URL with a command such as:
curl https://mysite.com/.htaccess
The curl command should return HTTP/1.1 403 Forbidden
.
Consider these security settings
Don’t wait for a vulnerability scanner to flag your web server settings. If they make sense on your system, consider making these easy changes to your Apache web configuration.
Leave a Reply
Want to join the discussion?Feel free to contribute!