Apache HTTP Server is by far the most widely used web server software in the world. Most web hosting providers will host your website on a server running Apache, and many of the web’s top sites run Apache. If you have your own virtual private server or dedicated server, you will be responsible for managing and securing Apache. The following are some tips you can use to keep your Apache web server secure:
1. Disable directory indexing – With directory indexing enabled, any user who accesses your website can see the contents of directories that do not have default pages (i.e. index.html or index.php). This can present a serious security risk. By disabling directory indexing, you prevent those files from being visible.
2. Install an application firewall – You have likely heard of a network firewall. Hopefully, you already have one of those. An application firewall is designed to secure your web applications. It sits in between the web and your Apache installation making it more difficult for would-be attackers to exploit your scripts for nefarious purposes. ModSecurity is a good choice for an open source application firewall.
3. Disable Apache Signature – By default, Apache sends information about itself to the client. That information may include the name of the application, version number, and possibly even the operating system, all of which an attacker can use to find vulnerabilities. By disabling the ServerSignature and ServerTokens, you can limit the amount of knowledge an attacker will have about your server.
These are just a few ideas you can use to secure your Apache installation. For more useful ideas, see the Apache HTTP Server online documentation.