Categories
Apache CentOS Fedora Installation Linux OS RedHat Web Security

How to make Apache Web Server more secure

There are some known security issues that can make an Apache Web Server insecure.

If using Apache as a web service is your approach, then you should scan your web server in first step.

There are many tools to scan a web server. here we will use NIKTO. Nikto is a free tool which is installed on Kali linux by default.

You can scan your server by this command:

nikto -h ictbank.ir

This command may suggests some issues that you have to handle.

Here we will see some of them and try to fix them:

1.The anti-clickjacking X-Frame-Options header is not present.

This vulnerability means that this website could be at risk of a clickjacking attack. (read more: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-x-frame-options-header/)

To secure Apache from this threat, you have to edit Apache config file (/etc/httpd/conf/httpd.conf) and add the follow line:

Header always append X-Frame-Options SAMEORIGIN

You can replace SAMEORIGIN option with one of these:

  • DENY: It completely denies to be loaded in frame/iframe.
  • SAMEORIGIN: It allows only if the site which wants to load has a same origin.
  • ALLOW-FROM URL: It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.

2.The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

As the message indicate, this vulnerability can lead to XSS attacks. (read more: https://www.keycdn.com/blog/x-xss-protection)

To secure Apache from this threat, you have to edit Apache config file (/etc/httpd/conf/httpd.conf) and add the follow line:

header always set X-XSS-Protection "1; mode=block"

3.The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

with this vulnerability there is a possibility to execute style sheet and steal content from another site through content type doesn’t match (read more: https://geekflare.com/secure-mime-types-in-apache-nginx-with-x-content-type-options/)

To secure Apache from this threat, you have to edit Apache config file (/etc/httpd/conf/httpd.conf) and add the follow line:

Header set X-Content-Type-Options nosniff

Don’t forget to restart Apache service after these changes. Good Luck!

Leave a Reply

Your email address will not be published. Required fields are marked *