The following configuration options in httpd.conf are useful to prevent cross-site scripting and clickjacking attacks:
# Disable TRACK/TRACE RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F TraceEnable off # Prevent clickjacking Header always append X-Frame-Options SAMEORIGIN # Supress the version string ServerSignature Off ServerTokens Prod
In the case of virtual hosts, use the following under each virtualhost:
# Virtualhost Security Configuration RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F ServerSignature Off Header always set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options: "nosniff" Header set Access-Control-Allow-Origin "*"
If you’re using PHP, make sure your configuration file (usually /etc/php.ini) contains:
expose_php = Off
Verify your configuration:
curl -v -X TRACE http://www.example.com
OR
curl --insecure -v -X TRACE https://www.example.com/
If you’re using SSL, legacy protocols should be disabled. Add the following to /etc/httpd/conf.d/ssl.conf (and any relevant VirtualHost configurations)
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder on SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:aNULL:eNULL:EXPORT:DES:RC4:MD5:PSK:aECDH:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-SHA"
This should also be added to any virtualhost configuration files:
Header set Strict-Transport-Security: "max-age=31536000; includeSubdomains;"
Tags:
Apache