1. Hide Server Banner and Product Info from HTTP Header
AddServerHeader Off
ServerTokens Prod
ServerSignature Off
2. Disable Etag
<Directory />
.... skip....
FileETag none
</Directory>
3. Implement HttpOnly and Secure flag in Cookie
LoadModule headers_module modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
LoadModule headers_module modules/mod_headers.so
Header always edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
4. Mitigate Clickjacking assault
Header all the time append X-Frame-Options SAMEORIGIN
5. Configure Listen Directive
Listen {IP}:80
6. Add X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
7. Disable Trace HTTP Request
TraceAllow off
http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#apachebase
* Does WebSphere Application Server or IBM HTTP Server support HSTS / HTTP Strict Transport Security?
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
* Configure your non-SSL virtual hosts to redirect to their SSL counterparts:
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
* How can I add the client IP address to a request header??
SetEnvIf Remote_Addr (.*) client-ip=$1
RequestHeader set X-Forwarded-For %{client-ip}e
*Can IBM HTTP Server set the X-Forwarded-User header from the logged in user?
RequestHeader set X-Forwarded-User %{my-remote-user}e env=my-remote-user
# This makes mod_rewrite run late enough to see the result of authentication
<Location />
RewriteEngine on
# %{REMOTE_USER} below does not depend on an environment variable
RewriteRule .* - [E=my-remote-user:%{REMOTE_USER}]
</Location>
* How do I set a header only if two conditions are both true?
<LocationMatch /dont/cache/.*>
BrowserMatch MSIE is_msie
Header set Cache-Control "no-cache" env=is_msie
</LocationMatch>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} MSIE
RewriteCond %{REQUEST_URI} ^/dont/cache/
RewriteRule ^/ - [E=nocache:1]
Header set Cache-Control "no-cache" env=nocache
# We would use SetEnv here, but it always runs after SetEnvIf; just use a catch-all SetEnvIf instead
SetEnvIf Request_URI "^/" nocache_uri=0 nocache_browser=0 nocache=1
SetEnvIf Request_URI "^/dont/cache/" nocache_uri=1
SetEnvIf User-Agent MSIE nocache_browser=1
SetEnvIf nocache_uri "0" nocache=0
SetEnvIf nocache_browser "0" nocache=0
SetEnvIf nocache "1" set_nocache
Header set Cache-Control "no-cache" env=set_nocache
* How can I disable caching in Internet Explorer?
Header set Pragma "no-cache"
Header set Cache-Control "no-cache"
Header set Expires "-1"
<FilesMatch \.(pdf|php)$>
Header set Pragma "no-cache"
Header set Cache-Control "no-cache"
Header set Expires "-1"
<FilesMatch>
<LocationMatch \.pdf$>
Header set Pragma "no-cache"
Header set Cache-Control "no-cache"
Header set Expires "-1"
<LocationMatch></code>
댓글 없음:
댓글 쓰기