Securing Apache

Introduction

This isn’t a comprehensive guide to hardening Apache—plenty of folks more qualified have tackled that. Instead, this is a personal overview of what I did, and why.

The "Server in the Cellar" is a standalone machine dedicated to web hosting. Since 2003, it's been humming along with nothing but server software and site files. It doesn’t even know about my other machines. From day one, the logs have shown bot attempts—trying to break out of directories, probing for CGI scripts, and so on. While I doubt I could fend off a determined attacker, disrupting this little machine would be a mean-spirited act.

Hardening Apache not only protects the site but also its visitors.

Apache's default security has served me well for years. I only set up SSL certificates and HTTPS in October 2022, which kicked off my interest in taking security a little further.

A couple of great resources that helped:

• Geekflare Apache Hardening Guide
• Apache's Own Security Tips

Site Testing

Server – Running my own Apache server means I’ve had to learn to test and tune it. A few of the better tools I've used:

• Detectify
• Ionos Website Checker
• Mozilla Observatory
• Pentest-Tools Website Scanner

These tools showed improvements as I hardened the setup. A quick timeline:

• Mozilla Observatory: F (Oct 23) → B- (Nov 20) → B (Nov 26)
• Pentest-Tools: Risk score dropped from High to Low
• Detectify: 19 vulnerabilities (score 5.8) → 7 vulnerabilities (score 4.8)

It's unlikely my server has ever faced a serious attack—it’s just not that important—but these tests have been a solid learning experience.

SSL Certificates – I use Let's Encrypt with an ACME client. Testing tools include:

• Qualys SSL Labs
• Ionos SSL Checker

Server and Site Information

Revealing too much server info is a known risk. Early on, I made mod_status publicly available, which reveals things like server uptime, version, and active threads. That’s handy for me, but not ideal from a security standpoint.

Apache directory listings can be considered a vulnerability. I’ve allowed them in a few folders—mostly for convenience. That decision comes down to balancing transparency and risk.

Common Vulnerabilities

After reading the Geekflare guide and Apache’s own tips, I ran more scans. Here’s the shortlist of headers and policies I looked at:

• Content Security Policy (CSP)
• Cookies
• Cross-Site Scripting (XSS)
• Cross-Site Tracing (XST)
• Mixed Content
• Permissions Policy
• Referrer Policy
• Security.txt
• Strict Transport Security (HSTS)
• X-Content Type Options
• X-Frame Options

Content Security Policy (CSP) {#csp}

CSP helps mitigate XSS and data injection attacks.

To enable CSP in Apache, make sure mod_headers is active:

Uncomment that line in httpd.conf or add it if missing.

In httpd-vhosts.conf (HTTPS sections only), I added:

Helpful tools:

• CSP Evaluator
• Security Headers

Cookies {#cookies}

I don’t use cookies directly, but third-party services like Google Analytics and YouTube do. Browser dev tools now warn if cookies lack the SameSite attribute. These warnings are often outside your control unless you're managing the cookie directly.

Cross-Site Scripting (XSS) {#xss}

Mitigation:

• Sanitize input
• Use a solid CSP
• Monitor logs

The X-XSS-Protection header is now deprecated and not recommended.

Cross-Site Tracing (XST) and Trace Requests {#xst}

TRACE is largely considered safe to ignore nowadays. Apache still supports it by spec, and modern browsers don’t use it. I’ve left it enabled.

Mixed Content (HTTPS vs HTTP) {#mix}

After enabling HTTPS, some old pages had HTTP links. Browsers often auto-upgrade them, but not always. Tools that helped me:

• JitBit SSL Check
• Missing Padlock

Permissions Policy {#permissions}

Controls what browser features can run. Helpful in case of an XSS vulnerability—can prevent attackers from leveraging unused browser APIs.

Docs:

• Chrome Developers
• MDN

Referrer Policy {#referrer}

Controls how much info is sent when navigating to another site. In httpd.conf I added:

Also: always use rel="noopener noreferrer" with target="_blank".

Security.txt File {#sectxt}

This file allows security researchers to contact you. I’ve skipped it since I already get too many emails, and no one has ever sent a security issue.

Strict Transport Security (HSTS) {#hsts}

For HTTPS connections only, in httpd-vhosts.conf:

X-Content Type Options {#xcto}

Prevents MIME type sniffing. In httpd.conf:

X-Frame Options - Iframes and Clickjacking {#xfo}

To prevent clickjacking while still allowing self-hosted iframes:

My Security Headers and Policies

httpd.conf:

httpd-vhosts.conf (HTTPS sections only):