Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

FreeBSD 12 Apache Security and Hardening Guide

Default Apache installations come working, but do not provide adequate security levels in production environments.

In this guide, on your Apache server:

  • Hiding server version information
  • Disable directory listing
  • Reducing the risk of DoS attacks
  • Configure HTTP security headers
  • Increasing cookie security

You will learn to apply basic Apache hardening steps such as.

What Will You Learn in This Guide?

The following topics will be covered in this document:

  • Hiding Apache server banner information
  • Directory listing closing
  • Reducing the risk of DoS with timeout settings
  • Disable TRACE method
  • HTTP security header configuration

Preliminaries

Before following these steps, you need to have the following ready:

  • A server with FreeBSD 12.0
  • A configured firewall
  • Installed FAMP Stack (FreeBSD + Apache + MySQL + PHP)
  • Active HTTPS certificate with Let's Encrypt

Hiding Apache Server Information (ServerTokens)

By default, Apache exposes operating system and version information to the outside world.
This information can be used by attackers during the reconnaissance process.

First, you can check the Apache version information.

sudo pkg install nmap
nmap -sV -p 80 sunucu-ip-adresiniz

This command shows the version information that Apache gives to the outside world.

Open the Apache configuration file:

sudo vi /usr/local/etc/apache24/httpd.conf

Add or edit the following setting:

ServerTokens Prod

With this setting, Apache only shares “Apache” information.

Restart the Apache service after the change:

sudo apachectl restart

Turning Off Directory Listing

Listing directories without index files may pose a security risk.

Apply the following setting:

Options -Indexes +FollowSymLinks

This setting:

Prevents the directory content from being listed in the browser. Returns a 403 Forbidden error in directories without an index file.

Restart the Apache service after the change:

sudo apachectl restart

Reducing Timeout (Reducing DoS Risk)

Long connection times can increase resource consumption in DoS attacks.

Open the following file:

sudo vi /usr/local/etc/apache24/extra/httpd-default.conf

Edit the timeout value:

Timeout 30

This setting:

Enables faster closing of unresponsive connections Reduces unnecessary use of server resources

Restart the Apache service after the change:

sudo apachectl restart

Disabling TRACE Method

TRACE method can be used in Cross Site Tracing (XST) attacks.

Add the following setting to the Apache configuration:

TraceEnable off

This setting completely blocks TRACE requests.

Limiting allowed HTTP methods:

<LimitExcept GET POST HEAD>
  deny from all
</LimitExcept>

This configuration allows only required HTTP methods.

Restart the Apache service after changes:

sudo apachectl restart

HTTP security headers provide additional protection against browser-based attacks.

Add the following settings to the Apache configuration:

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
  Header set X-Content-Type-Options "nosniff"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin"
  Header set X-Frame-Options "DENY"
</IfModule>

Thanks to these settings:

XSS attacks are reduced Clickjacking is prevented Cookie security is increased HTTPS is made mandatory

Restart the Apache service to apply the changes:

sudo apachectl restart

Frequently Asked Questions (FAQ)

I'm getting a 403 error, is there a problem?

No. 403 Forbidden error is an expected behavior in directories without index files.

Can the timeout be reduced further?

Yes, but values ​​that are too low may negatively impact user experience.

Do these settings reduce performance?

No. In many cases, it makes more efficient use of server resources.

What should be done if the site is not working properly after CSP?

External resources (CDN, font, etc.) must be added to the Content Security Policy.

Result

In this guide, you have implemented basic hardening and security settings for Apache HTTP Server on FreeBSD 12.

Thanks to these configurations:

Server version information is hidden Directory listing is turned off Reduces the risk of DoS attacks HTTP security headers are enabled

You can safely use these security configurations in your FreeBSD-based projects.

To quickly set up your infrastructure, you can create a server on GenixNode and apply Apache security configurations in minutes.