Enhance the security of your Apache web server with these comprehensive recommendations:
Use HTTPS (encrypted) communication rather than HTTP for enhanced security.
Force clients to use more secure TLS v1.2 and disable weaker ciphers.
Edit the file /etc/httpd/conf.d/ssl.conf (CentOS):
SSLProtocol TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA:!RC4:!3DES
Prevent cross-site scripting (XSS) by disabling the TRACE method.
Add to /etc/httpd/conf/httpd.conf:
TraceEnable off
Restrict web browsers to access web servers solely over HTTPS.
Edit /etc/httpd/conf.d/ssl.conf (CentOS) and add within <VirtualHost _default_:443>:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>
Conceal server version details to reduce information disclosure.
Add to /etc/httpd/conf/httpd.conf:
ServerTokens Prod
Prevent MIME-type confusion attacks.
Add to /etc/httpd/conf/httpd.conf:
Header set X-Content-Type-Options "nosniff"
Strengthen the XSS filter in modern web browsers.
Add to /etc/httpd/conf/httpd.conf:
Header set X-XSS-Protection "1; mode=block"
Defend against Clickjacking attacks by controlling site embedding.
Add to /etc/httpd/conf/httpd.conf:
Header set X-Frame-Options: "SAMEORIGIN"
Prevent denial of service (DoS) attacks by limiting the size of client requests.
Add to /etc/httpd/conf/httpd.conf:
LimitRequestBody 10485760
Install and configure ModSecurity as a Web Application Firewall (WAF) to protect against various attacks.
For CentOS:
sudo yum install mod_security
Edit the file /etc/httpd/conf.d/mod_security.conf.
To apply the changes, reload the Apache configuration:
CentOS:
service httpd reload