Here are two easy changes that have helped some of our clients reduce perceived vulnerabilities. These changes, typically made in the Apache web server’s httpd.conf files, may stop unnecessary exposure of web server information, as well as satisfying security scanners.
Disable trace and track
Security scanners may flag the TRACE and TRACK HTTP methods as insecure. Documentation for the Apache web server states: “…enabling the TRACE method does not expose any security vulnerability in Apache httpd,” but we may as well disable it when not needed.
To disable the TRACE method, add TraceEnable Off to the web configuration and restart your web server instance.
After restarting your web server, you can confirm that TRACE is disabled by running this command:
curl -v -X TRACE https://mysite.com
Output from the TRACE method should now contain the message:
HTTP/1.1 405 Method Not Allowed
Apache never allowed TRACK, which exists only in old versions of Windows IIS. No action is needed to disable TRACK, even though some security scanners refer to “TRACE/TRACK” together.
You can confirm that TRACK is unavailable by running this command:
curl -v -X TRACK https://mysite.com
Output from the TRACK method should contain the message:
HTTP/1.1 501 Not Implemented
Conceal .htaccess files
To prevent .htaccess configuration files from being visible in the browser, a situation that could reveal sensitive file system information, you can add the following directives in httpd.conf, then restart your web server instance:
Require all denied
Now you can confirm that access to .htaccess is blocked by attempting to access its URL with a command such as:
The curl command should return
HTTP/1.1 403 Forbidden.
Consider these security settings
Don’t wait for a vulnerability scanner to flag your web server settings. If they make sense on your system, consider making these easy changes to your Apache web configuration.