Information Security, Web, Networks and Systems

Sunday, March 2, 2014

Apache Security - Configuring Secure Response Headers

In this post I talk about how to configure some security options of Apache Web Server. A proper configuration of Apache Web server may extreamely important since it sometimes can prevent certain Web Application Attacks even though the vulnerability is there in the web application. In this post I'll describe how to set configure apache to send Security concerned HTTP headers in its response and hide sensitive information from server response headers.
In a later post I'll describe setting virtual hosts with SSL enabled,request rewriting and redirection.

If you carefully inspect HTTP responses coming from Web Servers from Google or Facebook or any other Securely configured server, you might see several non-http-standard headers inside their response. Some of them are,

X-Frame-Options
X-XSS-Protection
Strict-Transport-Security
X-Content-Type-Options
X-Content-Security-Policy/X-WebKit-CSP

These headers are sent by the web server to trigger browser security mechanisms which browsers use to prevent certain Web Application attacks. You can find more information on these headers at this OWASP page. If not configured manually, these headers are not sent by Apache server and hence browser security mechanisms are not activated.

Example:-
X-Frame-Options  header is sent by a server to prevent ClickJacking attacks. When this header is set to DENY browser do not let you to display the response inside an Iframe. If this header is not set in the response, browser do not trigger that protection mechanism. So, letting a page to be displayed inside an iframe make the application vulnerable to clickjacking attacks.

Another important fact is that most people keep their default configurations left, which in turn reveals some important information about their server to attackers. Have a look at folllowing response.


You can clearly see that above response is coming from an Apache web server with version 2.4.7 and you can see its OpenSSL and PHP versions and on which platform its running (in this case Windows) clearly. An enthusiastic attacker can search online for published vulnerabilities and exploits for above server on the given platform  and the software installed on the server, if a matching exploit found, he can easily attack your web server. So, these information should never be revealed and should be hidden or obfuscated.

So what  we are going to do is,
  • Hide unnecessary headers/information from the server response

  • Add aforementioned security headers to the server response

Hide detailed information from server response headers

To mask detailed information from Server header, edit Apache's /etc/apache2/apache.conf file. Open the file and add following entries at the end.



By changing the parameter of ServerTokens, you can mask information in few levels. Following is possible values for ServerTokens parameter.

ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

ServerTokens Major
Server sends (e.g.): Server: Apache/2

ServerTokens Minor
Server sends (e.g.): Server: Apache/2.4

ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.4.2

ServerTokens OS
Server sends (e.g.): Server: Apache/2.4.2 (Unix)

After saving the file, if I restart apache server running the command,
sudo service apache2 restart

I can now see that detailed information from the server header are removed and it only displays the server is Apache.


And also we need to hide PHP  version which is disclosed by X-Powered-By header. To do that, simple include following line inside /etc/apache2/httpd.conf file.
Header unset X-Powered-By

This command will remove X-Powered-By header from the response and after restarting apache server you can see there is no more PHP version disclosure in the header.

Configuration of Important HTTP Response Headers

Now we need to server to send Important security headers with the response. You can do this editing very file /etc/apache2/httpd.conf and add following lines.
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff

In this case lets consider only above three headers. Upon this configuration and server restart, you'll now see these headers are now set in the server response.


These are only few configurations. Put a comment if there's any correction or something to be added.

References: