Setting VirtualHost security configurations in Apache2

This is a follow-up post from: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-security-headers/

Looking to nail down some security settings on your Apache server with relative ease using only the Apache2 VirtualHost config file? Here are some commonly found VirtualHost configuration settings for improving site security:

    1. HSTS
      • Code: Header always add Strict-Transport Security "max-age=[numerical value in seconds]"
    2. X-Frame options
    3. Content Security Policy
    4. X-Content Type
      • Code: Header set X-Content-Type-Options "nosniff"
    5. Cross site scripting protection
      • Code: Header set X-XSS-Protection "[value], [options]"
      • Values are “0 or 1” with a few options “1, mode=block” and “1, report=<reporting-URI>”.
    6. Referrer Policy
    7. Expect CT

Here is an example VirtualHost configuration file behind Cloudflare:

<VirtualHost *:443>

Servername yourserver.tld
ServerAlias www.yourserver.tld
DocumentRoot /dir/www
SSLEngine on
SSLCertificateFile /etc/dir/something.pem
SSLCertificateKeyFIle /etc/dir/something.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCaCertificateFile /etc/dir/cloudflare_origin_ca.pem
Header always set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin"
Header set Expect-CT 'enforce, max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"'
Header set Content-Security-Policy "script-src 'strict-dynamic'; https: 'nonce-gnCozcyhm2aPV611HbPaHBjTEuYKUKUY9Rcqwu137lAQ5FKBfwwVXGbt2a66LC2RgMRfUTTWeW1COma3tYZIB1I09O1SdLUHemwDGLcKRhNbG2U3uguVNsKEj81PVYPJ'; upgrade-insecure-requests"

</VirtualHost>

One thought on “Setting VirtualHost security configurations in Apache2”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.