Skip to main content

Apache configuration

Configuring Apache properly is essential for website security. Generally, pre-packaged webserver software (e.g. Bitnami instances) are not designed to have every security measure enabled, as some measures need to be carefully decided by the server administrator to prevent e.g. blocking access to legitimate pages.

There are several important things to be aware of when configuring Apache on your webservers.

httpd.conf and .htaccess files

Apache can be configured from two main files: the primary httpd.conf file in the apache/conf directory, and individual .htaccess files in specific directories where you want to override the httpd.conf file.

Avoid using .htaccess files

For both security and performance reasons, htaccess files should be avoided. It's generally a sign of bad website design when .htaccess files are used, as they are often used to deny access to folders containing credentials or private data that should not be in the server's DocumentRoot in the first place. Even when a particular folder has to be in the document root, denying access to it from the httpd.conf is less error prone, as it doesn't rely on a htaccess file being present in the given folder.

The use of htaccess files also makes Apache slower, as it has to check all of the individual directories for .htaccess files when serving a page to check if there are any rules it needs to override. 

The AllowOverride directive

Within <Directory> tags, that specify how Apache serves documents within a given directory, this directive decides if any htaccess file within the DocumentRoot can override the main httpd.conf file. The settings are All (any .htaccess file can override the main settings) or None (disable .htaccess files altogether).

Options (Indexes, FollowSymLinks)

 

Files and FilesMatch directives

The <Files> and <FilesMatch> directives let you specify what should occur for specific files or files that match a regular expression. They are commonly used to deny access to particular files or types of files.

HTTP Headers

Permissions Policy

Permissions, iframes, etc.

Content Security Policy

The policy of all.

The AllowOverride and Indexes Directives

Security issues, performance issues.

Files directives

Some files never needed by users.

Permissions Policy

Permissions, iframes, etc.

Back to top