secure.conf

# Basic options to try to secure apache
# References: https://geekflare.com/apache-web-server-hardening-security/#4-Web-Application-Security

# ServerSignature will remove the version information from the page generated
# like 403, 404, 502, etc. by apache web server. ServerTokens will change
# Header to production only, i.e. Apache
ServerTokens Prod
ServerSignature Off

# ETag allows remote attackers to obtain sensitive information like inode
# number, multipart MIME boundary, and child process through Etag header. 
# This is required to fix for PCI compliance.
FileETag None

# By default Trace method is enabled in Apache web server. Having this enabled
# can allow Cross Site Tracing attack and potentially giving an option to a
# hacker to steal cookie information.
TraceEnable off

# Mitigate most of the common Cross Site Scripting attack using HttpOnly and
# Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
# to steal or manipulate web application session and cookies and it’s
# dangerous.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Clickjacking is well-known web application vulnerabilities. Kill it.
Header always append X-Frame-Options SAMEORIGIN

# Cross Site Scripting (XSS) protection can be bypassed in many browsers.
# if it was disabled by the user, it'll be caught here. This is used by
# a majority of giant web companies like Facebook, twitter, Google, etc.
Header set X-XSS-Protection "1; mode=block"

# HTTP 1.0 has security weakness related to session hijacking. We can disable
# this by using the mod_rewrite module.
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

# By default Apache time-out value is 300 seconds, which can be a victim of
# Slow Loris attack and DoS. To mitigate this we can lower the timeout value
# to maybe 60 seconds.
Timeout 60