In default Apache configuration you would have many sensitive information disclosure, which can be used to prepare for an attack. It’s one of the most critical tasks for administrator to understand and secure them. As per report by Cenzic, 16% of vulnerability is found in Info leakage. We require some tool to examine HTTP Headers for verification. Let’s do this by install firebug add-on in Firefox.
- Open Firefox
- Access https://addons.mozilla.org/en-US/firefox/addon/firebug/
- Click on Add to Firefox
- Click on Install Now
- Restart Firefox
- You can see firebug icon at right top bar
We will use this icon to open firebug console to view HTTP Headers information. There are many online tools also available which helps to check in HTTP header information. Below are some of them you can try out. http://tools.geekflare.com/seo/tool.php?id=check-headers
Remove Server Version Banner
I would say this is one of the first things to consider, as you don’t want to expose what web server version you are using. Exposing version means you are helping hacker to speedy the reconnaissance process. Default configuration will expose Apache Version and OS type as shown below.
Implementation:
- Go to $Web_Server/conf folder
- Modify httpd.conf by using vi editor
- Add following directive and save the httpd.conf
ServerTokens Prod ServerSignature Off
- Restart apache
ServerSignature will remove the version information from the page generated like 403, 404, 502, etc. by apache web server. ServerTokens will change Header to production only, i.e. Apache
Verification:
- Open Firefox
- Activate firebug by clicking firebug icon at top right side
- Click on Net tab
- Hit the URL in address bar
- Expand the GET request and you could see Server directive is just showing Apache, which is much better than exposing version and OS type.
Disable directory browser listing
Disable directory listing in browser so visitor doesn’t see what all file and folders you have under root or sub-directory. Let’s test how does it look like in default settings.
- Go to $Web_Server/htdocs directory
- Create a folder and few files inside that
# mkdir test # touch hi # touch hello
Now, let’s try to access Apache by http://localhost/test
As you could see it reveals what all file/folders you have which is certainly you don’t want to expose.
Implementation:
- Go to $Web_Server/conf directory
- Open httpd.conf using vi
- Search for Directory and change Options directive to None or –Indexes
<Directory /opt/apache/htdocs>
Options None
Order allow,deny
Allow from all
</Directory>
(or)
<Directory /opt/apache/htdocs>
Options -Indexes
Order allow,deny
Allow from all
</Directory>
- Restart Apache
Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.
Verification:
Now, let’s try to access Apache by http://localhost/test
As you could see, it displays forbidden error instead showing test folder listing.
Etag
It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header. To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.
Implementation:
- Go to $Web_Server/conf directory
- Add following directive and save the httpd.conf
FileETag None
- Restart apache
Verification:
- Open Firefox and access your application
- Check HTTP response headers in firebug, you should not see Etag at all.
