Server Security (Apache, Nginx, Tomcat)

Sharing the knowledge! I am pretty sure I have not covered everything here. Please feel free to correct me or add more details.

Configuration standard for secure Apache, Nginx and Tomcat servers
Server Signatures and Tokens:

By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks.

Configuring PHP (php.ini)

expose_php = Off

Configuring Apache (httpd.conf)
ServerSignature Off

Configuring Nginx (nginx.conf)

server_tokens off;

X-Frame Options:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites

There are three possible directives for X-Frame-Options:

X-Frame-Options: deny

X-Frame-Options: sameorigin

X-Frame-Options: allow-from https://example.com/

Configuring Apache (httpd.conf)
Header always append X-Frame-Options DENY

Configuring Nginx (nginx.conf)

add_header X-Frame-Options sameorigin;

Configuring Tomcat(web.xml)

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

X-XSS Protection:

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attack

There are three possible directives for X-XSS-Protection:

X-XSS-Protection: 0

X-XSS-Protection: 1

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=<reporting-uri>

Configuring Apache (httpd.conf)
Header set X-XSS-Protection “1; mode=block”

Configuring Nginx (nginx.conf)

add_header X-XSS-Protection “1; mode=block”;

X-Content-Type:

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

Configuring Apache (httpd.conf)
X-Content-Type-Options: nosniff

Configuring Nginx (nginx.conf)

add_header X-Content-Type-Options nosniff;

Cookie Secure, HttpOnly:

A secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

Configuring Apache (httpd.conf)
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Configuring Tomcat (context.xml)

<Context useHttpOnly=”true”>

Other Measures for secure applications and websites:

· Disable TLS 1.0 and below Protocols

· Disable weak cipher (ssllabs.com is a great source to find the weak ciphers allowed in your sites)

· Cookie information disclosure (Can be modified at F5 config or server config)

· Install SSL Certs and force HTTPS on all sites

· Regular patching

Resources:

https://www.owasp.org
https://developer.mozilla.org
https://www.if-not-true-then-false.com