If you are utilising the apache web server HTTP for your website hosting and you maintain that server, then you must consider the following points,
- Turn on LOGS and installing mod_log_config. You can check the list of modules by this command : apache2ctl -M
- Implement Firewall MOD_SECURITY module
https://modsecurity.org/ is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset
- Implement mod_evasive module
- Disable Extra module which are not utilized to improve performance
- Cross check Directory Indexing. apache2.conf | httpd.conf | <vhost>.conf | .htaccess
Options -Indexes
- Setup following variables in apache2.conf or httpd.conf
SET HTTP Limits- KeepAlive=on
- KeepAliveTimeout
- LimitRequestBody
- LimitRequestFields
- LimitRequestFieldSize
- LimitRequestLine
- LimitXMLRequestBody
- MaxClients
- MaxKeepAliveRequests
- MaxRequestWorkers
- RequestReadTimeout
- TimeOut
- Disable server signature . Add these lines in apache2.conf | <vhost>.conf | .htaccess
ServerSignature Off
ServerTokens Prod
- If web-server language is PHP, By Default PHP version is available in response header, Remove PHP version from header from php.ini
- expose_php = Off
- Add these headers to prevent XSS
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Awesome post! Keep up the great work! 🙂