There are some known security issues that can make an Apache HTTPD Web Server insecure.
If using Apache HTTPD as a web service is your approach, then you should scan your web server in first step.
There are many tools to scan a web server. here we will use NIKTO. Nikto is a free tool which is installed on Kali linux by default.
You can scan your server by this command:
nikto -h ictbank.ir
This command may suggests some issues that you have to handle.
Here we will see some of them and try to fix them:
1.The anti-clickjacking X-Frame-Options header is not present.
This vulnerability means that this website could be at risk of a clickjacking attack. (read more: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-x-frame-options-header/)
To secure Apache HTTPD from this threat, you have to edit Apache HTTPD config file (/etc/httpd/conf/httpd.conf) and add the follow line:
Header always append X-Frame-Options SAMEORIGIN
You can replace SAMEORIGIN option with one of these:
- DENY: It completely denies to be loaded in frame/iframe.
- SAMEORIGIN: It allows only if the site which wants to load has a same origin.
- ALLOW-FROM URL: It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
2.The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
As the message indicate, this vulnerability can lead to XSS attacks. (read more: https://www.keycdn.com/blog/x-xss-protection)
To secure Apache HTTPD from this threat, you have to edit Apache HTTPD config file (/etc/httpd/conf/httpd.conf) and add the follow line:
header always set X-XSS-Protection "1; mode=block"
3.The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
with this vulnerability there is a possibility to execute style sheet and steal content from another site through content type doesn’t match (read more: https://geekflare.com/secure-mime-types-in-apache-nginx-with-x-content-type-options/)
To secure Apache HTTPD from this threat, you have to edit Apache HTTPD config file (/etc/httpd/conf/httpd.conf) and add the follow line:
Header set X-Content-Type-Options nosniff
Don’t forget to restart Apache HTTPD service after these changes. Good Luck!