HTTP Request Methods
Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
Código
<LimitExcept GET POST HEAD> deny from all </LimitExcept>
Web Application Security
Disable Trace HTTP Request
Código
TraceEnable off
Set cookie with HttpOnly and Secure flag
Requiere mod_headers
Código
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Clickjacking Attack
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
<iframe> <object>
Opciones:
X-Frame-Options
DENY, SAMEORIGIN, ALLOW-URL url
Código
Header always append X-Frame-Options SAMEORIGIN
Cross Site Scripting (XSS)
Código
Header set X-XSS-Protection "1; mode=block"
HTTP Strict Transport Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Código
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Todo junto fichero confgiuración httpd.conf
Código
CoreDumpDirectory /tmp # bajar timeout, por defecto 300 Timeout 80 # Maximum size of the request body. #LimitRequestBody 10000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4094 # Maximum size of the request line. #request failed: URI too long (longer than 500) #LimitRequestLine 500 #nuevo antidos #RLimitCPU 10 20 #RLimitCPU 100 100 #RLimitMEM 10000000 10000000 #RLimitNPROC 25 25 # esconder versión Apache, aka version banner ServerTokens Prod #seguridad # http://httpd.apache.org/docs/2.2/mod/core.html#traceenable TraceEnable off #seguridad <ifModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure #https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options: "nosniff" </ifModule> # https ssl SSLRandomSeed startup file:/dev/urandom 1024 <IfDefine SSL> # enable SSLv3 and TLSv1, but not SSLv2 #SSLProtocol all -SSLv2 #SSLProtocol -ALL +SSLv3 +TLSv1 # https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-#secrecy # new 2014 # https://www.ssllabs.com/ssltest/analyze.html?d=foro.elhacker.net # Grade A, antes Grade F SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" #SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+TLSv1 SLv2:+EXP:+eNULL # mozilla # https://wiki.mozilla.org/Security/Server_Side_TLS # SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL:!eNULL # noviembre 2014 SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS" </IfDefine>