The following configuration options in httpd.conf are useful to prevent cross-site scripting and clickjacking attacks:
# Disable TRACK/TRACE

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
TraceEnable off

# Prevent clickjacking

Header always append X-Frame-Options SAMEORIGIN

# Supress the version string

ServerSignature Off
ServerTokens Prod

In the case of virtual hosts, use the following under each virtualhost:
# Virtualhost Security Configuration

        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        ServerSignature Off
        Header always set X-Frame-Options SAMEORIGIN
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options: "nosniff"
        Header set Access-Control-Allow-Origin "*"
If you're using PHP, make sure your configuration file (usually /etc/php.ini) contains:
expose_php = Off

Verify your configuration:
curl -v -X TRACE http://www.example.com

OR
curl --insecure -v -X TRACE https://www.example.com/

If you're using SSL, legacy protocols should be disabled. Add the following to /etc/httpd/conf.d/ssl.conf (and any relevant VirtualHost configurations)#

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder     on
SSLCipherSuite          "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
This should also be added to any virtualhost configuration files:
        Header set Strict-Transport-Security: "max-age=31536000; includeSubdomains;"

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 24-May-2017 15:30 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X
    

All Pages

Page views: 5565

Private Tomcat

Linux

MySQL

Email

SQL Server

ASP

JSP

C#

Web Mail

Windows Plesk

Linux Plesk

PHP

Gaming

ASP.NET

Persits ASPUpload

Wiki Help

Referring Pages:
...nobody

JSPWiki v2.8.1