====== Apache Security ======

  * [[Apache]]
  * [[Apache Server Info]]
  * [[Apache SSL]]
  * [[Apache suExec]]
  * [[CentOS Apache Security]]

Some ways to increase security using Apache 2.2.

  * [[http://httpd.apache.org/security/vulnerabilities_22.html|Apache httpd 2.2 vulnerabilities]]

==== mod_core ====

== Minimal server info ==

<code>
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
</code>

== Lower timeout ==

The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise.

<code>
# Timeout: The number of seconds before receives and sends time out.
Timeout 45
</code>

== Disable trace behavior ==

<code>
# TraceEnable
# This directive overrides the behavior of TRACE for both the core server and
# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
# which disallows any request body to accompany the request. TraceEnable off
# causes the core server and mod_proxy to return a 405 (Method not allowed)
# error to the client.
# For security reasons this is turned off by default. (bug #240680)
TraceEnable off
</code>

== Disable server signature ==

<code>
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off
</code>

== Disable range headers ==

<code>
RequestHeader unset Range
</code>

Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.

Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:

<code>RequestHeader unset Request-Range</code>

== Disable FileEtag ==

<code>FileEtag None</code>

== Ignore client requests with indexes ==

<code>IndexOptions IgnoreClient</code>

== Message digests ==

  * [[http://httpd.apache.org/docs/2.2/mod/core.html#contentdigest|ContentDigest]]

Adds an integrity check useful for proxies and clients.  This will only work with files sent by mod_core (static files like HTML, images, downloads) and not any modules (PHP).

<code>
ContentDigest On
</code>