Top 7 Apache security best practices

Most folks in IT are familiar with Apache at some level. It’s an open source web server, created in 1999 and maintained by a community of developers under the guidance of the Apache Software Foundation. Based on the latest numbers Apache is used by 58.4% of all the websites, followed by Nginx (23.3%) and Microsoft IIS (13.2%).  The numbers indicate the reliance that folks place on Apache to run their web services. It’s a proven, reliable tool. But as we all know 2014 was a really bad year for cyber-crime and web attacks. So it’s incumbent upon businesses and individuals alike to do everything they can to ensure their Apache server is safe against attack. This starts with securing, or hardening, your setup. Here are 7 items to check to guarantee you’re getting the most out of your Apache setup.


apache optimization


1. Keep your Apache updated with the latest releases and patches


As mentioned, Apache is maintained through a community of developers who are committed to keeping the software current and robust. New fixes and security patches are added in every release. So one best practice is to always upgrade to the latest stable version of Apache. This will ensure that you keep your services and applications running securely.


2. Disable Directory Listing


By default Apache lists all the content of its Document root directory in the absence of the index file.


apache security


In other words, if the base file like index.html or index.php is not available then anyone can see all files and sub-directories listed in the browser. This creates a security vulnerability because an attacker could analyze the source code for possible security flaws or to obtain more information about an application, such as database connection strings, passwords to other systems; therefore it’s best to disable the directory listing. To disable directory browsing, you just need to set the Options directive in the Apache httpd.conf file as follows:


disable directory listing


3. Disable unnecessary modules


By default Apache comes with a number of pre-installed and enabled modules. However, this creates an additional security vulnerability. In order to reduce your chances of becoming a victim of a web attack it’s best to disable the modules that are not currently being used. Unnecessary modules can be disabled by going into the httpd.conf file and adding a # character in front of the LoadModule line.


4. Turn off unnecessary services


You can disable unnecessary services CGI execution, symbolic links, and server side includes by using the Options directive from the httpd.conf configuration file. The image below example shows what you need to include in your config file to disable CGI and includes:


turn off unnecessary services


5. Ensure that Apache server-info is disabled


If the <Location /server-info> directive in the httpd.conf configuration file is enabled it displays information about the Apache configuration when the /server-info page is accessed from This could potentially include sensitive information about server settings such as the server version, system paths, database names, library information, and so on. This information can be disabled by commenting out the <Location /server-info> directive from the httpd.conf configuration file per below:


apache security best practices


6. Disable Trace HTTP Request


‘TRACE’ is a HTTP request method used for debugging which echoes back the received request for a client so that he may see what changes or additions have been done. This functionality creates a security vulnerability because an attacker can exploit it and steal sensitive information via headers like cookies and website credentials. You can disable this simply by changing the directive in your httpd.conf file to TraceEnableOff.


7. Distribute ownership and don’t run Apache as ‘root’


Running Apache server as root is security issue. The reason is straightforward; if an attacker can gain entry to a website then they will have full root (admin) access to the entire server. Just like you wouldn’t leave a master key on the front porch of your home, take precautions and avoid running Apache as root access.