首頁 » apache

Security Settings

由 datahunter 在 一, 06/11/2017 - 15:32 發表

最後更新: 2017-11-06

 

目錄

 

Server info.

 

# Setting Location: /etc/httpd/conf/httpd.conf

ServerTokens

ServerTokens Prod

Arg: Full / Prod / Major / Minor / Min / OS

  • Prod: Server: Apache               <- 已經是透露最小的資料
  • Major: Server: Apache/2
  • ...
  • OS: Server: Apache/2.4.2 (Unix)

Test

curl -I localhost

HTTP/1.1 200 OK
Date: Wed, 13 Apr 2022 09:04:43 GMT
Server: Apache
...

比 Prod 再小資料

# mod_security for Apache

SecRuleEngine on
SecServerSignature " "

ServerSignature

ServerSignature On|Off|EMail

  • Off: which is the default, suppresses the footer line.
  • On: simply adds a line with the server version number and ServerName of the serving virtual host,
  • EMail: additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

 

SSL

 

# Settings Location: /etc/httpd/conf.d/vhosts.conf

# Enable TLS v1.2 Only

SSLProtocol       -ALL +TLSv1.2

# Strong Cipher

SSLCipherSuite \
ECDHE-ECDSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-RSA-CHACHA20-POLY1305

# HTTP Strict Transport Security (HSTS)

# 7 Days
Header always set Strict-Transport-Security "max-age=604800; includeSubDomains"

# Disable gzip compression completely

 





	X-Frame


 


Used to indicate whether or not a browser should be allowed to render a page in a


    

  • 
		<frame>
    • 

  • 
		<iframe>
    • 

  • 
		<object>
    • 



Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.


共有三種值:


    

  • 
		DENY
    • 

  • 
		SAMEORIGIN
    • 

  • 
		ALLOW-FROM uri
    • 



Apache Settings


i.e.


Header always append X-Frame-Options DENY
HTTP Response Header


X-Frame-Options: DENY
More info.


如果要用其他 Domain 作 iframe 內容, 那就加


Header set X-Frame-Options "ALLOW-FROM https://example.com/"
Allow 同一 Domain iframe


Header always append X-Frame-Options SAMEORIGIN
 


 





	PHP Version


 


Setting Location: /etc/php.ini


expose_php = off
 





	PHP Session


 


Setting Location: /etc/php.ini


# Allows access to session ID cookie only when protocol is HTTPS


session.cookie_secure = 1
# Marks the cookie as accessible only through the HTTP protocol.

	# This means that the cookie won't be accessible by scripting languages, such as JavaScript.


session.cookie_httponly = 1
 





	TRACE


 


mod: mod_allowmethods


 


Testing for TRACE support with curl


curl -i -X TRACE http://x/


# Specifies a custom request method to use when communicating with the HTTP server.


-X, --request <command>


Disable TRACE


# 1 - Global disable


# Default: on, off => core server and mod_proxy to return "HTTP/1.1 405 Method Not Allowed"


# Setting Location: /etc/httpd/conf/httpd.conf


TraceEnable off
# 2 - restrict


# mod_allowmethods


<Location "/">
   AllowMethods GET POST OPTIONS
</Location>
 





	OPTIONS method disable


 


New(IIS 7.X)


IIS Manager  -> Request Filtering


Old IIS


IIS Manager  -> right click, Properties -> Home Directory -> extension, Edit -> Limit To


Test


curl -i -X OPTIONS http://example.org/path


HTTP/1.1 200 OK
Date: Thu, 11 Jun 2020 09:06:17 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/html
HTTP OPTIONS method


It is used to describe the communication options for the target resource.


The client can specify a URL for the OPTIONS method


OPTIONS /index.html HTTP/1.1
An asterisk (*) to refer to the entire server.


OPTIONS * HTTP/1.1
-i, --include


Include  the  HTTP  response headers in the output.


The HTTP response headers can include things  like  server  name,  cookies, date of the document, HTTP version and more...


To view the request headers, consider the -v

	            




 


 


 

  


    
» 
  • 瀏覽次數: 1161
    • 

  

  

    

    


Creative Commons license icon
Creative Commons license icon