This is a follow-up post from: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-security-headers/
Looking to nail down some security settings on your Apache server with relative ease using only the Apache2 VirtualHost config file? Here are some commonly found VirtualHost configuration settings for improving site security:
-
- HSTS
- Code:
Header always add Strict-Transport Security "max-age=[numerical value in seconds]"
- Code:
- X-Frame options
- Code:
Header set X-Frame-Options "[option here]"
- Options are SAMEORIGIN, DENY, and ALLOW-FROM URI. See: https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/
- Code:
- Content Security Policy
- Code:
Header set Content-Security-Policy "default src '[options here]';";
- Options are many. See: https://content-security-policy.com/
- Code:
- X-Content Type
- Code:
Header set X-Content-Type-Options "nosniff"
- Code:
- Cross site scripting protection
- Code:
Header set X-XSS-Protection "[value], [options]"
- Values are “0 or 1” with a few options “1, mode=block” and “1, report=<reporting-URI>”.
- Code:
- Referrer Policy
- Code:
Header set Referrer-Policy "[option]"
- Options are many. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- Code:
- Expect CT
- Code:
Header set Expect-CT '[enforcement option], max-age=[value in seconds], report-uri="[url for reporting ]"'
- A few options: See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
- Code:
- HSTS
Here is an example VirtualHost configuration file behind Cloudflare:
<VirtualHost *:443>
Servername yourserver.tld
ServerAlias www.yourserver.tld
DocumentRoot /dir/www
SSLEngine on
SSLCertificateFile /etc/dir/something.pem
SSLCertificateKeyFIle /etc/dir/something.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCaCertificateFile /etc/dir/cloudflare_origin_ca.pem
Header always set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin"
Header set Expect-CT 'enforce, max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"'
Header set Content-Security-Policy "script-src 'strict-dynamic'; https: 'nonce-gnCozcyhm2aPV611HbPaHBjTEuYKUKUY9Rcqwu137lAQ5FKBfwwVXGbt2a66LC2RgMRfUTTWeW1COma3tYZIB1I09O1SdLUHemwDGLcKRhNbG2U3uguVNsKEj81PVYPJ'; upgrade-insecure-requests"
</VirtualHost>
Instructions for OCSP stapling in the VirtualHost file can be found here: https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm
I have not tested this function yet as my WAF handles the stapling functions.