Easy Security Improvements for Apache Websites

Apache HTTP Server ProjectSome key security measures, such as using TLS encryption (https://) are taken for granted. Others are often missed until they are flagged by a security scan.

Here are two easy changes that have helped some of our clients reduce perceived vulnerabilities.  These changes, typically made in the Apache web server’s httpd.conf files, may stop unnecessary exposure of web server information, as well as satisfying security scanners.

Disable trace and track

Security scanners may flag the TRACE and TRACK HTTP methods as insecure. Documentation for the Apache web server states: “…enabling the TRACE method does not expose any security vulnerability in Apache httpd,” but we may as well disable it when not needed.

TRACE

To disable the TRACE method, add TraceEnable Off to the web configuration and restart your web server instance.

TraceEnable Off

After restarting your web server, you can confirm that TRACE is disabled by running this command:

curl -v -X TRACE https://mysite.com

Output from the TRACE method should now contain the message:

HTTP/1.1 405 Method Not Allowed

TRACK

Apache never allowed TRACK, which exists only in old versions of Windows IIS. No action is needed to disable TRACK, even though some security scanners refer to “TRACE/TRACK” together.

You can confirm that TRACK is unavailable by running this command:

curl -v -X TRACK https://mysite.com

Output from the TRACK method should contain the message:

HTTP/1.1 501 Not Implemented

Conceal .htaccess files

To prevent .htaccess configuration files from being visible in the browser, a situation that could reveal sensitive file system information, you can add the following directives in httpd.conf, then restart your web server instance:

Now you can confirm that access to .htaccess is blocked by attempting to access its URL with a command such as:

curl https://mysite.com/.htaccess

The curl command should return HTTP/1.1 403 Forbidden.

Consider these security settings

Don’t wait for a vulnerability scanner to flag your web server settings. If they make sense on your system, consider making these easy changes to your Apache web configuration.

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.