Implementation of Missing Security Header Vulnerability in Apache (Part 2)
Rahul Sarma
Posted on July 24, 2024
Introduction
In the previous blog, I posted the significance of security headers and how they protect web applications from various vulnerabilities.
In this post, I'll focus on how to configure these essential security headers in an Apache server environment. I'll provide step-by-step guidance on setting up each header. Whether you're a developer, a system administrator, or a security enthusiast, this guide will equip you with the knowledge to enhance your web application's security posture. Let's dive in!!
Setting up the Apache Configuration
Apache uses configuration files to set directives for the server's behavior. There are two main types of files where you can set security headers:
httpd.conf
: This is the main configuration file for Apache. Changes here affect the entire server. It's typically located in the Apache installation directory. (/etc/httpd/conf/httpd.conf
)
.htaccess
: This is a per-directory configuration file. It allows you to set rules for specific directories or web applications.
Before making any changes to your Apache configurations, it's crucial to backup your existing files. If anything goes wrong, you can easily revert to the previous settings.
Implementing Specific Security Headers
Once you've backed up your configuration files, you can start adding security headers. Here, we'll discuss how to implement each of the headers in Apache server:
Use httpd.conf
or .htaccess
file to make the necessary changes.
- Content-Security-Policy
To set a CSP header, use the Header
directive.
Example:
Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'"
This example restricts all content (scripts, styles, images etc.) and the base URL to the same origin as the page, enhancing security by preventing external content loading and URL manipulation.
- X-Content-Type-Options
Add the nosniff
directive to your configuration.
Example:
Header always set X-Content-Type-Options "nosniff"
This example prevents browsers from interpreting files as a different MIME type than what is specified, reducing the risk of MIME type confusion attacks.
- Referrer-Policy
Choose the appropriate referrer policy for your site and add it to your configuration.
Header always set Referrer-Policy "strict-origin-when-cross-origin"
This example sends the full referrer URL when navigating from the same origin but only the origin when navigating to a different origin, enhancing privacy while maintaining some referrer information.
- Strict-Transport-Security
Set the Strict-Transport-Security
with a long duration (max-age
), and optionally includes subdomains.
Example:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
This enforces HTTPS for one year, for the site and all its subdomains, protecting against man-in-the-middle attacks by preventing HTTP connections.
- Cache-Control
Define caching policies based on the sensitivity of the data and the need for freshness.
Example:
Header always set Cache-Control "no-cache, no-store, max-age=63115200"
This prevents caching of the resource(no-cache, no-store) and sets a maximum age of approximately two years, ensuring the resources is always fetched fresh but with a long validity period.
- X-Frame-Options
Set the X-Frame-Options
header to either DENY
or SAMEORIGIN
based on your needs
Example:
Header always set X-Frame-Options "DENY"
This example prevents the web page from being embedded in any frame or iframe, protecting against clickjacking attacks by disallowing any framing of the content.
Testing and Verification
Post implementation of these headers, go to the root directory and restart Apache server:
systemctl restart httpd
To test the headers, run the below command in the terminal and check the headers:
curl -I URL
Example:
curl -I https://dev.to/
Note:
I have been implemented these headers in Apache v2.4.35, configurations/files location might be little different in other versions
Conclusion
Implementing these security headers in Apache ensures robust protection for your web application by controlling content sources, preventing MIME type issues, managing referrer information, enforcing HTTPS, and blocking unwanted framing. Regularly review and update these configurations to adapt to evolving security threats.
Posted on July 24, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.