Difference between revisions of "Apache Hardening"
m |
|||
Line 2: | Line 2: | ||
== HTTP Strict Transport Security (HSTS) == | == HTTP Strict Transport Security (HSTS) == | ||
+ | HSTS ensures that a user's web browser only uses HTTPS, once they are aware for | ||
The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''): | The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''): | ||
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
− | The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year). '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org''). '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') | + | The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year). '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org''). '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') is on browsers preload lists (e.g. [https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc] preloading can only be registered at this level. However, there is no harm including this in the line above. |
+ | |||
+ | == X-Frame-Options (Clickjacking) == | ||
+ | |||
[[Category:Howto]] | [[Category:Howto]] |
Revision as of 09:00, 23 August 2022
There are various ways that Apache configuration can be hardened to make it more secure. The suggested configuration changes below are informed by https://securityheaders.com/ Much of this is quite generic and could be applied to an web host not just an EPrints repository but some needs be be specifically configured for an EPrints repository.
HTTP Strict Transport Security (HSTS)
HSTS ensures that a user's web browser only uses HTTPS, once they are aware for The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's ssl/securevhost.conf):
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
The max-age=31536000 is the recommended length in seconds (365 days, i.e. approx. 1 year). includeSubDomains is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. www.example.eprints.org is a secondary hostname for example.eprints.org). preload is only really useful if your repository is the root of a domain (e.g. eprints.org) is on browsers preload lists (e.g. [1] preloading can only be registered at this level. However, there is no harm including this in the line above.