Apache Hardening

From EPrints Documentation
Revision as of 22:19, 22 August 2022 by Drn@ecs.soton.ac.uk (talk | contribs) (Added initial apache hardening page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

There are various ways that Apache configuration can be hardened to make it more secure. The suggested configuration changes below are informed by https://securityheaders.com/ Much of this is quite generic and could be applied to an web host not just an EPrints repository but some needs be be specifically configured for an EPrints repository.

HTTP Strict Transport Security (HSTS)

The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's ssl/securevhost.conf): 

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The max-age=31536000' is the recommended length in seconds (365 days, i.e. approx. 1 year). includeSubDomains is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. www.example.eprints.org is a secondary hostname for example.eprints.org). preload is only really useful if your repository is the root of a domain (e.g. eprints.org) as preloading can only be registered at this level. However, there is no harm including this in the line above.

Retrieved from ‘https://wiki.eprints.org/w/index.php?title=Apache_Hardening&oldid=15474