Apache Secure Default Configuration

The content of httpd.conf should have the following entries:

User apache
Group apache

ServerTokens Prod
ServerSignature Off

TraceEnable off
Timeout 45

FileETag None

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection “1; mode=block”
Header set Cache-Control “max-age=290304000, public”

SetOutputFilter DEFLATE

SetEnvIfNoCase Request_URI \.(?:rar|zip)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:gif|jpg|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:avi|mov|mp4)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary

<Directory />
Options None
Order Deny,Allow
Deny from all
AllowOverride None
</Directory>

<Directory /opt/apache/htdocs>
Options -Indexes -ExecCGI -FollowSymLinks -Includes
Order allow,deny
Allow from all

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* – [F]

<Files ~ “^\.ht”>
Order allow,deny
Deny from all
Satisfy All
</Files>

</Directory>

The content of ssl.conf should have the following entries:

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4
SSLProtocol –SSLv2 -SSLv3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s