Alexis Kestler
Do you administer an Apache web server? If so, I want to let you in on a sobering statistic – over 30% of compromised websites in 2025 were running on Apache, according to data from the Google Hack Report.
Unfortunately, the default configuration and plugins that come with Apache introduce numerous security risks ranging from information leaks to full system compromise. But securing your Apache server doesn‘t have to be difficult or require specialized expertise.
In this comprehensive guide, I‘ll walk you through the top 10 best practices that every Apache admin should know to lock down their servers against attacks. Whether you‘re just getting started or have years of experience, you‘ll learn techniques to harden your setup and keep your websites safe.
Let‘s start by reviewing why proper Apache security matters so much in the first place…
Why Apache Web Server Security Matters
Before digging into specific hardening steps, it‘s worth underscoring why Apache security deserves so much attention. What exactly are the risks of leaving your server unsecured?
Web Defacement and Data Deletion
In my experience pen testing websites, one of the most common Apache flaws is allowing directory listing when no index page is present. This permits an attacker to browse all files and directories and potentially modify hosted content.
I‘ve seen real-world cases where attackers exploited directory listing to fully deface sites or even delete key files and databases. The impact ranges from embarrassment to utter destruction.
Data Theft and Information Leaks
From 2013 to 2016, over 30 million records were stolen in security breaches involving Apache servers according to Privacy Rights Clearinghouse data. In many cases, the root cause was something as simple as outdated ciphers or default error pages leaking stack traces.
Information disclosure vulnerabilities like having ServerSignature enabled also offer attackers an opening for deeper reconnaissance and targeted exploits.
Malware Infections and Further Compromise
Flaws in Apache can give attackers an initial foothold to then pivot to more significant infrastructure – web apps, databases, internal networks, etc. In the 2021 Verizon DBIR report, Apache was one of the top vectors for malware delivery and exploit kits.
Once a malicious actor has compromised your Apache server, they can leverage it as a launchpad for further attacks – installing crypto miners, spreading malware, moving laterally, and more.
Clearly, keeping your Apache servers secure is critically important. Now let‘s look at those key steps to lock down your configuration.
10 Apache Hardening Best Practices
1. Disable the HTTP TRACE Method
By default, Apache allows the HTTP TRACE method which simply echoes back request headers. While seemingly harmless, this can facilitate stealing cookies and other sensitive data through cross-site tracing attacks.
To disable it, add this line to your httpd.conf:
TraceEnable Off With that set, Apache will block any TRACE requests with a 405 Method Not Allowed error. This closes the door on this method being abused.
2. Run Apache as a Non-Root User/Group
You never want to run your Apache server as root since that offers attackers unlimited privileges if exploited.
Instead, create and configure a less privileged user just for Apache. Here‘s an example:
User apache
Group apacheSome other common options are to use httpd, www-data or similar for the user and group.
This simple hardening measure greatly reduces the blast radius if an attacker somehow gains code execution on your server. Their access will be limited to the user Apache runs as rather than full root privileges.
3. Disable Server Signature
By default, Apache will append a footer to server-generated responses revealing details like:
Apache/2.4.54 (Unix)This provides valuable reconnaissance to attackers when probing your server.
To disable this header, add:
ServerSignature OffNow the version and OS details are no longer leaked.
4. Restrict Banner Information via ServerTokens
In addition to the signature, Apache will also return a Server HTTP header that advertises details about the generic OS type and modules.
While not as sensitive as the signature, it still provides more info than necessary. You can restrict what‘s shown by setting:
ServerTokens ProdThis will only display OS generics – e.g. "Apache on Unix/Linux" rather than the full version.
For maximum security, disabling the header altogether with ServerTokens Full is ideal but can impact functionality expecting the header.
5. Allow Access Only from Specific Addresses
Limiting access to your Apache server from only known IP addresses or networks is a great way to reduce attack surface.
For example, to only allow your internal corporate subnet you could add this to your Apache site configuration:
<Directory /path/to/your/site>
# Other settings omitted
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
</Directory>Now only the 192.168.1.0/24 subnet can access this site/app – all other addresses are denied.
For more granular control, you can restrict it to a single IP like:
Allow from 192.168.1.1006. Enforce TLS 1.2 for Encryption
Older SSL/TLS protocols like SSLv2 and SSLv3 are insecure and full of vulnerabilities. Even TLS 1.0 and 1.1 have weaknesses like BEAST attacks.
Ideally, you should completely disable old versions and exclusively use modern TLS 1.2. To do this, set:
SSLProtocol -ALL +TLSv1.2This jettisons all other protocols and isolates TLS 1.2.
You can verify your site‘s enabled protocols using the SSL Labs Server Test.
7. Disable Directory Listings
When no index page is present, Apache will happily list the contents of a directory by default.
While some admins rely on this feature, it‘s often better to disable directory listings altogether to avoid exposing private files.
You can do this by setting Options to None in your site config:
<Directory /path/to/site>
Options None
</Directory>Or explicitly disabling indexes with -Indexes:
Options -IndexesBoth accomplish the same result – shutting off the directory index function.
8. Remove Unnecessary Modules
Apache ships with tons of modules enabled by default, many of which you likely don‘t need.
Identifying and removing unnecessary modules reduces your attack surface and simplifies the configuration.
Check httpd.conf for LoadModule directives that can be safely disabled or removed entirely:
# Disable status module
#LoadModule status_module modules/mod_status.so
# Remove autoindex module
#LoadModule autoindex_module modules/mod_autoindex.soSlimming down your modules tightens security.
9. Use Strong Cipher Suites
To prevent use of known broken or weak ciphers, you should explicitly define the allowed suites:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMThis will reject deprecated and insecure crypto like NULL ciphers, anonymous DH, export-level suites, and more.
Here are some other useful CipherSuite options:
| Option | Effect |
|---|---|
!MD5 |
Disables MD5 hashes |
!DES |
Removes DES-based ciphers |
!RC4 |
Disables RC4 cipher |
You can test your enabled suites with the SSL Labs Server Test.
10. Keep Apache Updated and Patched
Like any software, new vulnerabilities in Apache are constantly being discovered. To stay secure, you need to keep your version updated and patched.
Always upgrade to the latest stable release unless you have a compelling compatibility reason not to. You can refer to Apache‘s version history to see changes in each release.
You should also subscribe to the Apache announcements list to receive notifications about new versions, security issues, and patches.
Conclusion
Proper configuration is crucial for Apache security. The steps outlined in this guide will get you off on the right foot. However, true security is an ongoing process.
Be sure to:
- Regularly scan your site for vulnerabilities
- Monitor announcements for new Apache issues
- Research additional hardening techniques
- Update configurations as best practices evolve
With vigilance and care, Apache can continue to be a reliable, secure web server platform for hosting all your most critical sites and applications.
