DEV Community

Rahul Sarma
Rahul Sarma

Posted on

Implementation of Missing Security Header Vulnerability in Apache (Part 2)

Introduction

In the previous blog, I posted the significance of security headers and how they protect web applications from various vulnerabilities.

In this post, I'll focus on how to configure these essential security headers in an Apache server environment. I'll provide step-by-step guidance on setting up each header. Whether you're a developer, a system administrator, or a security enthusiast, this guide will equip you with the knowledge to enhance your web application's security posture. Let's dive in!!

Setting up the Apache Configuration

Apache uses configuration files to set directives for the server's behavior. There are two main types of files where you can set security headers:

httpd.conf: This is the main configuration file for Apache. Changes here affect the entire server. It's typically located in the Apache installation directory. (/etc/httpd/conf/httpd.conf)

.htaccess: This is a per-directory configuration file. It allows you to set rules for specific directories or web applications.

Before making any changes to your Apache configurations, it's crucial to backup your existing files. If anything goes wrong, you can easily revert to the previous settings.

Implementing Specific Security Headers

Once you've backed up your configuration files, you can start adding security headers. Here, we'll discuss how to implement each of the headers in Apache server:

Use httpd.conf or .htaccess file to make the necessary changes.

  • Content-Security-Policy

To set a CSP header, use the Header directive.

Example:

Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'"
Enter fullscreen mode Exit fullscreen mode

This example restricts all content (scripts, styles, images etc.) and the base URL to the same origin as the page, enhancing security by preventing external content loading and URL manipulation.

  • X-Content-Type-Options

Add the nosniff directive to your configuration.

Example:

Header always set X-Content-Type-Options "nosniff"
Enter fullscreen mode Exit fullscreen mode

This example prevents browsers from interpreting files as a different MIME type than what is specified, reducing the risk of MIME type confusion attacks.

  • Referrer-Policy

Choose the appropriate referrer policy for your site and add it to your configuration.

Header always set Referrer-Policy "strict-origin-when-cross-origin"
Enter fullscreen mode Exit fullscreen mode

This example sends the full referrer URL when navigating from the same origin but only the origin when navigating to a different origin, enhancing privacy while maintaining some referrer information.

  • Strict-Transport-Security

Set the Strict-Transport-Security with a long duration (max-age), and optionally includes subdomains.

Example:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Enter fullscreen mode Exit fullscreen mode

This enforces HTTPS for one year, for the site and all its subdomains, protecting against man-in-the-middle attacks by preventing HTTP connections.

  • Cache-Control

Define caching policies based on the sensitivity of the data and the need for freshness.

Example:

Header always set Cache-Control "no-cache, no-store, max-age=63115200"
Enter fullscreen mode Exit fullscreen mode

This prevents caching of the resource(no-cache, no-store) and sets a maximum age of approximately two years, ensuring the resources is always fetched fresh but with a long validity period.

  • X-Frame-Options

Set the X-Frame-Options header to either DENY or SAMEORIGIN based on your needs

Example:

Header always set X-Frame-Options "DENY"
Enter fullscreen mode Exit fullscreen mode

This example prevents the web page from being embedded in any frame or iframe, protecting against clickjacking attacks by disallowing any framing of the content.

Testing and Verification

Post implementation of these headers, go to the root directory and restart Apache server:

systemctl restart httpd

To test the headers, run the below command in the terminal and check the headers:

curl -I URL

Example:

curl -I https://dev.to/
Enter fullscreen mode Exit fullscreen mode

Note:

I have been implemented these headers in Apache v2.4.35, configurations/files location might be little different in other versions

Conclusion

Implementing these security headers in Apache ensures robust protection for your web application by controlling content sources, preventing MIME type issues, managing referrer information, enforcing HTTPS, and blocking unwanted framing. Regularly review and update these configurations to adapt to evolving security threats.

Top comments (0)