Implement Basic Security on Your Web Server / Application

Cybercrime is the greatest threat to every company in the world. According to Forbes, on average 30,000 new websites are hacked every day.
Cybersecurity is such a vital part of a secure and well-ordered digital world. In this article, I’ll try to cover most of the common security tweaks of a web application/server. Let’s get started:
Disable Directory Listing
Directory listing is a web server feature where the web server will automatically generate an HTML page that lists the files in a directory when there is no index.
Directory listing looks like:

Apache: In order to improve your security, we should disable this option. on Apache, add the following line to your .htaccess
file:
Options -Indexes
Apache: Or open main confirg file:
And search for:
...
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</directory>
...
And change the line:
Options Indexes FollowSymLinks
To:
Options -Indexes +FollowSymLinks
It should look like this:
...
<Directory /var/www/>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</directory>
...
In Virtual Host
In your virtual host file, just add Options -Indexes
line like:
<Directory /var/www/public_html>
Options -Indexes
</Directory>
Nginx: Open Nginx config file or virtual host config file and add autoindex off
line in the location directive:
server {
location /{anydir} {
autoindex off;
}
}
Now restart apache/nginx web server.
Disable Server Signature
The error pages of your website like 404 not found, 403 access forbidden pages contain server signature i.e. server version number, operating system etc. Hackers can misuse the information. We should hide server info.
We can easily disable server signature. Just follow this method.
Apache: Open main confirg file:
Add the given below code at end of Apache config file:
Nginx: We need to turn off the server_tokens directive in /etc/nginx/nginx.conf configuration file. Open config file:
Add the following line to http context:
Hide PHP Version: It’s better to hide PHP version. To hide PHP version, open php.ini
file and change expose_php
value to Off.
Now restart apache/nginx web server.
Prevent Clickjacking Attack
Clickjacking is also known as a UI redress attack. Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are actually clicking on another.
In order to improve the security of your site against ClickJacking, we need to add X-Frame-Options
header. There are three settings for X-Frame-Options:
- SAMEORIGIN: Allow to embed pages (such as iFrame) on same origin.
- ALLOW-FROM URI: Allow to embed only on the specified origin.
- DENY: Prevent a page displaying in a frame or iframe.
Apache: Open apache config file add header like:
We can also do it using .htaccess
file:
Now restart webserver and test header with this tool.
Prevent XSS (cross-site scripting) Attack

We can prevent XSS attack in many ways. Let’s have a look at the solution.
Apache: Open main Apache config file (httpd.conf, apache2.conf) and add this line:
We can do it uisng .htaccess
file:
Nginx: Open main config file (nginx.conf) and add this line:
PHP: We need to sanitize all inputs to prevent XSS in PHP script. Have a look at the examples:
This artile will help you too: How to Secure Inputs in PHP.
JavaScript: We can escape inputs in JS. I’m writing a simple solution:
Note: I’ll write an article on JS input security ASAP. Link will be attached here.
Prevent MIME Content Sniffing
The X–Content–Type–Options header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else.
To know more about MIME-sniffing, you may take a look at these articles:
Now let’s prevent this attack.
Apache: Open apache main config file (httpd.conf, apache2.conf) and add this line:
Using .htaccess
:
Nginx: Open main config file (nginx.conf) and add this line:
Disable HTTP Trace
The HTTP TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests that use the TRACE method by echoing in its response the exact request that was received.
We should disable the TRACE method from your web server. This method has no real-life usage and can be misused for XST (cross-site tracing) attacks.
Apache: disable it on Apache via .htaccess:
Nginx: Edit your nginx configuration and this:
Protect Your Cookies
If we don’t set protection on cookies, it is possible to steal or manipulate web application sessions and cookies via XSS attack. It’s recommended to keep our cookies safe.
Apache: Open apache main config file (httpd.conf/apache2.conf) & add this line:
Using .htaccess:
Nginx: Add the below syntax in ssl.conf or default.conf:
You can also do the same thing uisng nginx_cookie_flag_module.
Strict-Transport-Security
According to Wikipedia, HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates.
Apache: Add the line in HTTPS VirtualHost section:
If the site owner would like their domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari), then use the header below:
Using .htaccess:
Nginx: To add an HSTS header to your nginx server, you can add the following directive to your server section:
SSL and Cipher Suites
By default web server allows us to use insecure old versions of the TLS, SSL protocol. We should use the latest versions of protocol.
Apache: Let’s disable TLS 1.0/1.1 and SSL 2.0/3.0 versions. Open ssl.conf (CentoS: Under /etc/httpd/conf.d directory) and add the line:
Nginx: Add the following directive in the server section of the nginx configuration file:
Referrer-Policy
The Referrer–Policy HTTP header controls how much referrer information should be included with requests.
Referrer-Policy header values:
- no-referrer — No referrer information is sent.
- no-referrer-when-downgrade — This is the default behavior if no policy is specified. It always passes the full path and will pass a value from HTTPS→HTTPS but not HTTPS→HTTP.
- origin — Sends the domain but not the full path.
- origin-when-cross-origin — Sends the full path when on the same domain, but only the domain when passing to another website.
- same-origin — Sends the full path if it’s the same domain, but strips the value if going to another website.
- strict-origin — Sends the domain for HTTPS→HTTPS and HTTP→HTTP, but not HTTPS→HTTP.
- strict-origin-when-cross-origin — Sends the full path if on the same domain and from one secure page to another, sends the domain if going from HTTPS on one domain to another domain, and doesn’t pass if going from a secure domain to an insecure domain.
- unsafe-url — Sends the full path.
The default policy is “no-referrer-when-downgrade”. We can change header and set our own policy.
Apache: Open apache main config file (httpd.conf/apache2.conf) & add this line:
Using .htaccess:
Nginx: Open main config file (nginx.conf) and add this line:
Content Security Policy (CSP)
Content Security Policy (or CSP ) is a security mechanism to restrict the origin of content (such as Javascript, images, CSS, etc.) on a web page to certain authorized sites. This makes it possible to better guard against a possible XSS attack.
Apache: Define in apache config file:
Using .htaccess:
Nginx: Deinfe in nginx config file or specific server directive:
You may take a look at these links:
Using CSP generator, you can create your own security policy.
Important Tips
File permissions: File permission is responsible for hacking. Sometimes we set 777 permission in files & folders which is very bad. We should set 755 for directories and 644 for files.
Public File Uploader: If we have public file uploader option, we should secure the uploader. We can set accept format tag. Sanizte input fields if we take from public.
PhpMyAdmin: Hacker may access to server if PhpMyAdmin is installed. If you don’t know how to secure PhpMyAdmin, then remove it and enable remote access via your IP only. Then login to your database from the localhost. DataGrip is a great tool. MySQL Workbench is another good one.
Disable Shell Execution: If you don’t need shell execution in your web application, then disable shell execution. If needed, then only allow for the specific files. From php.ini
file, we can disable shell execution:
Notes
1. Afteradding/removing line from web server config file, we need to restart our web server:
2. You can check header policy using this site: https://securityheaders.com/.
3. I’ll add more bacis security twaeks in this article ASAP.