Apache Hardening

From EPrints Documentation
Jump to: navigation, search

There are various ways that Apache configuration can be hardened to make it more secure. The suggested configuration changes below are informed by https://securityheaders.com/ Much of this is quite generic and could be applied to an web host not just an EPrints repository but some needs be be specifically configured for an EPrints repository.

HTTP Strict Transport Security (HSTS)

HSTS ensures that a user's web browser only uses HTTPS, once they are aware for The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's ssl/securevhost.conf):

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The max-age=31536000 is the recommended length in seconds (365 days, i.e. approx. 1 year). includeSubDomains is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. www.example.eprints.org is a secondary hostname for example.eprints.org). preload is only really useful if your repository is the root of a domain (e.g. eprints.org) is on browsers preload lists (e.g. [1] preloading can only be registered at this level. However, there is no harm including this in the line above.

X-Frame-Options (Clickjacking)