← Back to home
Apache SSL/TLS mod_security Hardening

Apache Hardening

Mar 10, 2025

This guide covers best practices for securing an Apache web server in production, including SSL/TLS configuration, security headers, and mod_security.

1. HTTP Security Headers

Add the following directives to your httpd.conf or VirtualHost block:

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

2. Disable Unnecessary HTTP Methods

<LimitExcept GET POST HEAD>
    deny from all
</LimitExcept>

3. Hide Server Information

ServerTokens Prod
ServerSignature Off

4. SSL/TLS with Let's Encrypt

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder off
SSLSessionTickets off
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

5. mod_security (Basic WAF)

SecRuleEngine On
SecRequestBodyAccess On
SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403"
SecRule ARGS "@detectXSS"  "id:1002,phase:2,deny,status:403"

Remember to restart Apache after each change: sudo systemctl restart apache2