{"id":18952817,"url":"https://github.com/password123456/setup-apache-http-server-with-shorts-security-best-practice","last_synced_at":"2026-01-27T03:35:28.179Z","repository":{"id":254950660,"uuid":"848063599","full_name":"password123456/setup-apache-http-server-with-shorts-security-best-practice","owner":"password123456","description":"Apache HTTP Server SHORTS security best practice","archived":false,"fork":false,"pushed_at":"2024-11-28T06:10:38.000Z","size":131,"stargazers_count":0,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-02T01:48:12.692Z","etag":null,"topics":["apache","apache-configuration","apache-hardening","apache-http-server","apache-httpd","apache-server","apache2","apache2-security","apache24"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/password123456.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-27T04:07:54.000Z","updated_at":"2024-11-28T06:10:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"f68fe3e5-9f7f-4b8a-9b54-5d3474792326","html_url":"https://github.com/password123456/setup-apache-http-server-with-shorts-security-best-practice","commit_stats":null,"previous_names":["password123456/setup-apache-http-server-with-shorts-security-best-practice"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/password123456/setup-apache-http-server-with-shorts-security-best-practice","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-apache-http-server-with-shorts-security-best-practice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-apache-http-server-with-shorts-security-best-practice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-apache-http-server-with-shorts-security-best-practice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-apache-http-server-with-shorts-security-best-practice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/password123456","download_url":"https://codeload.github.com/password123456/setup-apache-http-server-with-shorts-security-best-practice/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-apache-http-server-with-shorts-security-best-practice/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28799732,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T01:07:07.743Z","status":"online","status_checked_at":"2026-01-27T02:00:07.755Z","response_time":168,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","apache-configuration","apache-hardening","apache-http-server","apache-httpd","apache-server","apache2","apache2-security","apache24"],"created_at":"2024-11-08T13:34:43.300Z","updated_at":"2026-01-27T03:35:28.164Z","avatar_url":"https://github.com/password123456.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup Apache HTTP Server With Shorts Security Best Practice\n![Hits][hits-button]\n\n[hits-button]: https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fpassword123456%2Fsetup-apache-http-server-with-shorts-security-best-practice\u0026count_bg=%2379C83D\u0026title_bg=%23555555\u0026icon=\u0026icon_color=%23E7E7E7\u0026title=hits\u0026edge_flat=false\n\nApache HTTP Server is an older web server, and there are already numerous resources available on security hardening and best practices. Despite the abundance of security hardening guides, many Apache HTTP Servers still suffer from security misconfigurations.\n\nThis document revisits the essential security configurations for Apache HTTP Server from a practical perspective.\n\nBy following the key recommendations outlined below, you can avoid common configuration errors and prevent security vulnerabilities caused by improper Apache Directive Configurations.\n\nIf you find this helpful, please the **\"star\"**:star2: to support further improvements.\n\n***\n## Table of Contents\n- [1. Ensure Proper Permissions for Apache Process Account](#1-ensure-proper-permissions-for-apache-process-account)\n- [2. Ensure Apache Version Information is Not Exposed](#2-ensure-apache-version-information-is-not-exposed)\n- [3. Ensure Unnecessary Modules Are Disabled](#3-ensure-unnecessary-modules-are-disabled)\n- [4. Set Proper Permissions for Critical Directories and Files](#4-set-proper-permissions-for-critical-directories-and-files)\n- [5. Remove Unnecessary Default Configurations](#5-remove-unnecessary-default-configurations)\n- [6. Use Correct Web Server Configuration Directives](#6-use-correct-web-server-configuration-directives)\n- [7. Disabling Unused HTTP Methods](#7-disabling-unused-http-methods)\n- [8. Ensure Removal of Insecure and Outdated SSL Protocols and Ciphers](#8-ensure-removal-of-insecure-and-outdated-ssl-protocols-and-ciphers)\n- [9. Ensure Proper Permissions on SSL Certificate Files](#9-ensure-proper-permissions-on-ssl-certificate-files)\n- [10. Ensure Blocking of Arbitrary Host Connections Not Configured in the Web Server](#10-ensure-blocking-of-arbitrary-host-connections-not-configured-in-the-web-server)\n- [11. Inspection and Control of Request Headers](#11-inspection-and-control-of-request-headers)\n\n***\n\n## 1. Ensure Proper Permissions for Apache Process Account\nApache HTTP Server typically runs under the default `apache` user account (or another non-privileged account). \n\nIt is important to ensure that Apache is not running under a privileged account, such as `root`. If it is, it must be changed to a non-privileged user to prevent potential security risks.\n\n**Audit:**\n- Verify the current user account under which Apache is running, execute the following command:\n    ```\n    [root@localhost ~]# ps -ef | grep httpd\n    root      1234     1  0 12:00 ?        00:00:01 /usr/sbin/httpd -k start\n    apache    1235  1234  0 12:00 ?        00:00:00 /usr/sbin/httpd -k start\n    apache    1236  1234  0 12:00 ?        00:00:00 /usr/sbin/httpd -k start\n    apache    1237  1234  0 12:00 ?        00:00:00 /usr/sbin/httpd -k start\n    apache    1238  1234  0 12:00 ?        00:00:00 /usr/sbin/httpd -k start\n    ```\n\n**Remediation:**\n- If Apache is running under the `root` account or any other account with elevated privileges, modify the configuration to run under a non-privileged account such as `apache`, `nobody`, `daemon`:\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    User apache   # \u003c== Set to a non-privileged account e.g. apache, nobody, daemon\n    Group apache  # \u003c== Group associated with the user\n    Ensure the Apache process account has no unnecessary privileges:\n    ```\n**(1) Check sudo privileges:** \n- The Apache process account must not have sudo privileges:\n    ```\n    [root@localhost ~]# sudo -l -U apache\n    User apache is not allowed to run sudo on pg-sec-mqrelay01\n    ```\n**(2) Verify shell access:** \n- The Apache process account should not have access to a login shell:\n    ```\n    [root@localhost ~]# cat /etc/passwd | grep -i apache\n    apache:x:48:48:Apache:/var/www:/sbin/nologin\n    ```\n**(3) Ensure password is locked:** \n- The password for the Apache process account should be locked:\n    ```\n    [root@localhost ~]# passwd -S apache\n    apache LK 2023-10-16 -1 -1 -1 -1 (Password locked.)\n    ```\n\n## 2. Ensure Apache Version Information is Not Exposed\nBy default, Apache HTTP Server displays the version information in the HTTP response header. This can provide attackers with insights into potential vulnerabilities. Hiding the version information mitigates this risk.\n\n**Audit:**\n- Verify that Apache version information is exposed in the HTTP response header:\n    ```\n    [root@localhost ~]# curl -i -k http://127.0.0.1\n    HTTP/1.1 200 OK\n    Date: Tue, 20 Aug 2024 12:34:56 GMT\n    Server: Apache/2.4.57 (Rocky Linux)\n    ...\n    ```\n\n**Remediation:**\n- To prevent the version information from being exposed, modify the following settings in the Apache configuration:\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    ServerTokens Prod   # \u003c== Set to hide version information\n    ServerSignature Off # \u003c== Disable the server signature\n    ```\n\n## 3. Ensure Unnecessary Modules Are Disabled\nApache HTTP Server includes a number of modules by default. Unless explicitly specified during installation, all modules are installed and activated. Unused modules consume system resources and can introduce security vulnerabilities if improperly configured. Only enable the modules required by your service to minimize risk and resource usage.\n\nHere are some common Apache modules, along with their functions and typical use cases:\n\n| **Module**      | **Function**                                                        | **Usage Example**                                                 |\n|-----------------|---------------------------------------------------------------------|-------------------------------------------------------------------|\n| mod_so          | Supports dynamic loading of modules.                                | Load necessary modules only when needed.                          |\n| mod_ssl         | Enables SSL/TLS encryption for HTTPS.                               | Required for securing sites with HTTPS.                           |\n| mod_rewrite     | Provides URL rewriting functionality.                               | Redirect URLs or support virtual URL structures.                  |\n| mod_proxy       | Provides proxy features for various protocols (HTTP, HTTPS, FTP).   | Used for reverse proxy or gateway configurations.                 |\n| mod_deflate     | Compresses content before sending it to the client.                 | Improves performance and reduces bandwidth usage.                 |\n| mod_cache       | Caches content to enhance server performance.                       | Reduces load by caching frequently accessed data.                 |\n| mod_include     | Supports Server Side Includes (SSI) for dynamic HTML.               | Insert conditional text or file content into HTML.                |\n| mod_cgi         | Supports CGI scripts for dynamic content.                           | Required for running scripts in Perl, Python, etc.                |\n| mod_status      | Provides monitoring and statistics on the server’s current status.  | Monitors Apache’s real-time status.                               |\n| mod_userdir     | Enables user-specific web directories.                              | Allows users to host their own content in their home directories. |\n| mod_alias       | Maps URL patterns to different paths.                               | Redirect URLs or map folders to web roots.                        |\n| mod_auth_basic  | Provides basic HTTP authentication (username/password).             | Enables basic authentication on web pages.                        |\n| mod_auth_digest | Provides more secure MD5-based digest authentication.               | Used for more secure authentication methods.                      |\n| mod_authz_host  | Controls access based on host.                                      | Restricts access based on IP addresses or domains.                |\n| mod_autoindex   | Automatically generates directory listings.                         | Displays file lists when no index file is available.              |\n| mod_negotiation | Provides content negotiation to serve the most appropriate content. | Chooses the best version of content for the client.               |\n| mod_mime        | Determines the MIME type based on file extension.                   | Sends the correct MIME type based on file type.                   |\n| mod_log_config  | Allows customized log formats.                                      | Used to configure specific logging formats.                       |\n| mod_setenvif    | Sets environment variables based on request headers.                | Alters behavior based on certain conditions.                      |\n| mod_headers     | Modifies HTTP response headers.                                     | Adjusts headers for security and client behavior.                 |\n\n\n**Audit:**\n- Verify that unnecessary modules are enabled in your environment:\n    ```\n    [root@localhost ~]# httpd -M\n    Loaded Modules:\n     core_module (static)\n     so_module (static)\n     http_module (static)\n     mpm_prefork_module (shared)\n     authn_file_module (shared)\n     authz_host_module (shared)\n     authz_core_module (shared)\n     ...\n    ```\n- **Modules Typically Needed for Web Services:** Common modules used in most web environments:\n    ```\n    mod_so, mod_ssl, mod_rewrite, mod_proxy, mod_deflate, mod_headers, mod_mime, mod_log_config, mod_setenvif, mod_authz_host, mod_dir, mod_alias\n    ```\n- **Modules Not Typically Needed:** Modules that are less commonly used or that pose potential security risks if misconfigured:\n    ```\n    mod_autoindex, mod_userdir, mod_status, mod_info, mod_include, mod_cgi, mod_proxy, mod_negotiation\n    ```\n\n**Remediation:**\n- Disable unnecessary modules to reduce the attack surface.\n\n**(1) Disable with ./configure (source installation only):** \n- If you compiled Apache from source, disable modules using the ./configure command:\n    ```\n    ex) ./configure --disable-module_name\n    \n    [root@localhost ~]# ./configure --disable-autoindex\n    [root@localhost ~]# ./configure --disable-auth-digest\n    ...\n    ```\n\n**(2) Disable by commenting out LoadModule directives:** \n- This is the common method for disabling modules. Edit the Apache configuration file and comment out the relevant LoadModule directives:\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    LoadModule status_module modules/mod_status.so\n    LoadModule log_config_module modules/mod_log_config.so\n    # LoadModule status_module modules/mod_status.so  # \u003c== Disable by adding a comment\n    ```\n\n## 4. Set Proper Permissions for Critical Directories and Files\nEnsure that the Apache installation directory and configuration files are accessible only to the \"root\" user. The permissions for these directories and files should be checked and modified if any other users have access rights.\n\n**Audit:**\n- Verify the permissions of Apache's installation directory and configuration files.\n    ```\n    [root@localhost ~]# ls -al /etc/httpd/\n    total 16\n    drwxr-xr-x.  5 root root  4096 Aug 20 12:00 .\n    drwxr-xr-x. 77 root root  4096 Aug 20 12:00 ..\n    drwxr-xr-x.  2 root root  4096 Aug 20 12:00 conf\n    drwxr-xr-x.  2 root root  4096 Aug 20 12:00 conf.d\n    drwxr-xr-x.  2 root root  4096 Aug 20 12:00 conf.modules.d\n    lrwxrwxrwx.  1 root root    19 Aug 20 12:00 logs -\u003e ../../var/log/httpd\n    lrwxrwxrwx.  1 root root    29 Aug 20 12:00 modules -\u003e ../../usr/lib64/httpd/modules\n    lrwxrwxrwx.  1 root root    14 Aug 20 12:00 run -\u003e /run/httpd\n    ```\n\n**Remediation:**\n- Ensure that all Apache directories and configuration files are owned by `root:root`.\n- Adjust the permissions so that others (non-owners) cannot access the directories and files.\n    ```\n    [root@localhost ~]# chown root:root -R /etc/httpd\n    [root@localhost ~]# chmod o-rx -R /etc/httpd\n    ```\n\n## 5. Remove Unnecessary Default Configurations\nBy default, Apache creates several example configuration files during installation. These files are included in the initial setup, and when adding additional configurations, they can conflict with or override new settings, potentially causing unexpected behavior or security vulnerabilities.\n\n**Apache Default Page:**\n![5.1!](images/a5.1.png)\n\nTo avoid complications in server configurations, remove unused default configuration files and ensure that any active configurations are placed in appropriate locations without causing conflicts.\n\n**Default Configuration Files and Content:**\n\n| **File Name**  | **Location**                          | **Content**                                                                 |\n|----------------|---------------------------------------|-----------------------------------------------------------------------------|\n| welcome.conf   | /etc/httpd/conf.d/welcome.conf        | Apache default welcome page configuration.                                  |\n| autoindex.conf | /etc/httpd/conf.d/autoindex.conf      | Automatically generates directory listings.                                 |\n| README         | /etc/httpd/conf.d/README              | Readme file generated during installation (not related to Apache settings). |\n| userdir.conf   | /etc/httpd/conf.d/userdir.conf        | Configuration for user home directories serving web content.                |\n| 00-dav.conf    | /etc/httpd/conf.modules.d/00-dav.conf | Configuration related to the WebDAV module.                                 |\n| 01-cgi.conf    | /etc/httpd/conf.modules.d/01-cgi.conf | Default CGI script configuration.                                           |\n\n**Audit:**\n- Check for the presence of default configuration files that are not being used.\n\n**Remediation:**\n- Remove the default configuration files such as `welcome.conf`, `autoindex.conf`, `README`, `00-dav.conf`, `01-cgi.conf`.\n- Ensure that any active configurations do not override each other and are applied correctly with proper syntax and placement.\n\n\n## 6. Use Correct Web Server Configuration Directives\nAnother common cause of Apache vulnerabilities is the `incorrect use of configuration directives.` \n\nDirectives in Apache are commands that control the behavior or settings of the server, and they must be applied correctly to avoid security risks. \n\nYou can find a full list of Apache directives here: [Apache Directive Documentation](https://httpd.apache.org/docs/2.2/ko/mod/directives.html)\n\nWhen configuration directives are misused, you may encounter issues such as overlapping settings, configuration overrides, or vulnerabilities caused by improperly segregating global and virtual host settings. \n\nBelow are some examples of configuration vulnerabilities due to improper use of directives.\n\n**A Few Examples of Misconfigurations Leading to Vulnerabilities:**\n\n**(1) AllowOverride Vulnerability via .htaccess**\n- If `.htaccess` usage is disabled globally (with AllowOverride None), but re-enabled in a virtual host (with AllowOverride All), attackers could upload malicious `.htaccess` files and manipulate server behavior.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    \u003cDirectory \"/var/www\"\u003e\n        AllowOverride None\n    \u003c/Directory\u003e\n    ...\n    \n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        \u003cDirectory \"/var/www/example\"\u003e\n            AllowOverride All\n        \u003c/Directory\u003e\n    \u003c/VirtualHost\u003e\n    ```\n\n**(2) System-Wide Directory Access Vulnerability via Directory Setting**\n- Allowing global access to the root directory ( `\u003cDirectory \"/\"\u003e Require all granted` ) while applying specific directory restrictions in a virtual host can allow unauthorized access to the entire server directory tree.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    \u003cDirectory \"/\"\u003e\n        Require all granted\n    \u003c/Directory\u003e\n    ...\n    \n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        \u003cDirectory \"/var/www/example\"\u003e\n            Options None\n            Require all granted\n        \u003c/Directory\u003e\n    \u003c/VirtualHost\u003e\n    ```\n\n**(3) DocumentRoot Vulnerability**\n- A global `DocumentRoot \"/\"` setting exposes the entire server directory tree if not correctly overridden in a virtual host, leading to similar directory access vulnerabilities.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    DocumentRoot \"/\"\n    ...\n    \n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        \u003cDirectory \"/var/www/example\"\u003e\n            Options None\n            Require all granted\n        \u003c/Directory\u003e\n    \u003c/VirtualHost\u003e\n    ```\n\n**(4) ExecCGI Misconfiguration**\n- Setting `Options +ExecCGI` globally but disabling it within a virtual host could inadvertently allow CGI execution globally if the global setting takes precedence.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    \u003cDirectory \"/var/www\"\u003e\n        Options +ExecCGI\n        Require all granted\n    \u003c/Directory\u003e\n    ...\n    \n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        \u003cDirectory \"/var/www/example\"\u003e\n            Options None\n            Require all granted\n        \u003c/Directory\u003e\n    \u003c/VirtualHost\u003e\n    ```\n\n**(5) DirectoryIndex Vulnerability**\n- When the global `DirectoryIndex` is not removed, and a different `DirectoryIndex` is set for a virtual host, the global index setting could lead to unintended directory listings if no index file is found.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    DirectoryIndex index.html\n    ...\n    \n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        DirectoryIndex index.php\n    \u003c/VirtualHost\u003e\n    ```\n\n**Audit:**\n- Verify that directives are correctly applied in both global and virtual host configurations.\n- Ensure that directives are not used multiple times in conflicting ways across global and virtual host contexts.\n\n**Remediation:**\n- Segregate web server configurations between global settings and virtual host settings.\n- Ensure that directives, if repeated, are properly scoped according to the context (global vs. virtual host).\n\n**Best Practices for Commonly Repeated Directives:**\n\n| Directive              | Recommended Configuration                                                       |                                                 \n|------------------------|---------------------------------------------------------------------------------|\n| DocumentRoot           | \tApply only within individual virtual hosts, avoid using globally.              |\n| DirectoryIndex         | \tApply only to virtual hosts that require a custom index; do not set globally.  |\n| Timeout\t               | Apply timeout settings only to specific virtual hosts that require them.        | \n| AllowOverride          | \tRestrict .htaccess usage to specific directories only, do not allow globally.  |\n| Options                | \tDefine options such as ExecCGI, Indexes, etc. separately for each directory.   |\n| Require                | \tApply access restrictions within each \u003cDirectory\u003e block for precision control. |\n| Redirect / RewriteRule | \tOnly apply in virtual hosts where URL redirection or rewrite rules are needed. |\n\n**Correct Use of Match Directives:**\n- Directives that `include Match` (e.g., `DirectoryMatch`, `FilesMatch`, `LocationMatch`) use regular expressions or patterns to apply precise configurations.\n- Directives that `not include Match` (e.g., `Directory`, `Files`, `Location`) apply settings to specified paths or files.\n- `Match` directives = precise pattern matching / `Non-Match` directives = broader range matching.\n- It's important to understand the characteristics of each directive to prevent misconfigurations and unintended behavior.\n\n\n**(1) DirectoryMatch**\n- Restrict access only to /var/www/test and /var/www/dev directories.\n    ```\n    \u003cDirectoryMatch \"^/var/www/(test|dev)\"\u003e\n        Require all denied\n    \u003c/DirectoryMatch\u003e\n    ```\n\n**(2) FilesMatch**\n- Apply settings only to .cgi or .pl files.\n    ```\n    \u003cFilesMatch \"\\.(cgi|pl)$\"\u003e\n        Require all granted\n    \u003c/FilesMatch\u003e\n    ```\n\n**(3) LocationMatch**\n- Apply settings to all URLs under /secure/.\n    ```\n    \u003cLocationMatch \"^/secure/.*\"\u003e\n        Require valid-user\n    \u003c/LocationMatch\u003e\n    ```\n\n**(4) Files**\n- Apply settings only to the important.txt file.\n    ```\n    \u003cFiles \"important.txt\"\u003e\n        Require all denied\n    \u003c/Files\u003e\n    ```\n\n**(5) Location**\n- Apply settings to all URLs starting with /admin.\n    ```\n    \u003cLocation \"/admin\"\u003e\n        Require admin\n    \u003c/Location\u003e\n    ```\n\n## 7. Disabling Unused HTTP Methods\nWhen unused HTTP methods are enabled on a web service, they can expose vulnerabilities or unintended behaviors that may lead to abuse and become an attack vector. \n\nIt is important to disable any methods that are not in use, particularly the `TRACE` method, which is used for debugging and is generally unnecessary for normal web service operations.\n\n**HTTP Methods:**\n\n| Name    | Description                                                                                                                                         |\n|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------|\n| OPTIONS | \tUsed to check the list of supported methods by the web server.                                                                                     |\n| HEAD    | \tThe server sends only the header information in the response. It is often used to check the existence of a page by receiving the HTTP status code. |\n| GET     | \tSimilar to POST, but does not handle form input; typically used to retrieve information such as lists in forums via URI transmission.              |\n| POST    | \tUsed when sending data from a client to a web application for processing.                                                                          |\n| PUT     | \tSimilar to POST, used to save content specified by the client to the server.                                                                       |\n| DELETE  | \tUsed by the client to delete files on the server.                                                                                                  |\n| TRACE   | \tUsed to invoke a loopback message on the web server to trace the data transmission path.                                                           |\n| CONNECT | \tUsed to request proxy functionality from the web server.                                                                                           |\n\n\n**Audit:**\n- Verify that which HTTP methods are available on your web server:\n    ```\n    [root@localhost ~]# curl -i -k -X OPTIONS http://example.com\n    HTTP/1.1 200 OK\n    Server: Apache\n    Date: Mon, 12 Aug 2024 03:00:29 GMT\n    Content-Type: text/html; charset=utf-8\n    Content-Length: 0\n    Connection: keep-alive\n    Allow: GET, HEAD, OPTIONS, PUT, DELETE, POST, PATCH\n    ...\n    ```\n\n**Remediation:**\n- Disable TRACE Method\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    TraceEnable Off  # \u003c== Disable TRACE method\n    ```\n- Enable Only Necessary HTTP Methods:\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    TraceEnable Off  # \u003c== Disable TRACE method\n    ...\n    \u003cVirtualHost *:80\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        ...\n        # Only allow GET, POST, and OPTIONS methods; deny others with HTTP 403 response.\n        \u003cLocation \"/\"\u003e\n            \u003cLimitExcept GET POST OPTIONS\u003e\n                Require all denied\n            \u003c/LimitExcept\u003e\n        \u003c/Location\u003e\n        ...\n    \u003c/VirtualHost\u003e\n    ```\n\n**LimitExcept Directive:**\n- The LimitExcept directive can be used in various configuration sections, such as `\u003cDirectory\u003e`, `\u003cLocation\u003e`, `\u003cFiles\u003e`, `\u003cProxy\u003e`, `\u003cLocationMatch\u003e`, `\u003cDirectoryMatch\u003e`.\n- Below are some examples:\n    ```\n    \u003cLocationMatch \"^/private\"\u003e\n        \u003cLimitExcept GET POST OPTIONS\u003e\n            Require all denied\n        \u003c/LimitExcept\u003e\n    \u003c/LocationMatch\u003e\n    \n    \n    \u003cProxy \"*\"\u003e\n        \u003cLimitExcept GET POST OPTIONS\u003e\n            Require all denied\n        \u003c/LimitExcept\u003e\n    \u003c/Proxy\u003e\n    \n    \u003cFiles \"secret.txt\"\u003e\n        \u003cLimitExcept GET POST OPTIONS\u003e\n            Require all denied\n        \u003c/LimitExcept\u003e\n    \u003c/Files\u003e\n    \n    \n    \u003cLocation \"/admin\"\u003e\n        \u003cLimitExcept GET POST OPTIONS\u003e\n            Require all denied\n        \u003c/LimitExcept\u003e\n    \u003c/Location\u003e\n    \n    \n    \u003cDirectory \"/var/www/html\"\u003e\n        \u003cLimitExcept GET POST OPTIONS\u003e\n            Require all denied\n        \u003c/LimitExcept\u003e\n    \u003c/Directory\u003e\n    ```\n\n## 8. Ensure Removal of Insecure and Outdated SSL Protocols and Ciphers\nWhen configuring SSL, outdated and insecure protocols or algorithms should be avoided. \n\nMajor browsers like Chrome, Microsoft Edge, and Firefox have dropped support for TLS 1.0 and TLS 1.1 due to security vulnerabilities such as POODLE and BEAST. These older protocols are known to be vulnerable to various attacks.\n\n| No. | CVE-ID        | Vulnerability Name                                      | Description                                                                |\n|-----|---------------|---------------------------------------------------------|----------------------------------------------------------------------------|\n| 1   | CVE-2014-3566 | POODLE (Padding Oracle On Downgraded Legacy Encryption) | Exploits outdated encryption methods, enabling protocol downgrade attacks. |\n| 2   | CVE-2011-3389 | BEAST (Browser Exploit Against SSL/TLS)                 | Allows attackers to decrypt HTTPS cookies and hijack sessions.             |\n\n\n**Audit:**\n- Verify the SSL settings for `SSLProtocol` and `SSLCipherSuite` configurations.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    \u003cVirtualHost *:443\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        SSLEngine on\n        SSLCertificateFile \"/etc/httpd/conf.d/cert/example.com_ssl.crt\"\n        SSLCertificateKeyFile \"/etc/httpd/conf.d/cert/example.com_ssl.key\"\n        SSLCertificateChainFile \"/etc/httpd/conf.d/cert/example.com_ssl-chain.crt\" \n        SSLProtocol all\n        SSLCipherSuite ALL:!ADH:!EXPORT:!LOW\n        SSLHonorCipherOrder on\n        \u003cDirectory \"/var/www/example\"\u003e\n            Options None\n            AllowOverride None\n            Require all granted\n        \u003c/Directory\u003e\n        ...\n    \u003c/VirtualHost\u003e\n    ```\n\n**Remediation:**\n- `SSLProtocol` should use TLS 1.2 or later.\n- `SSLCipherSuite` to utilize secure algorithms supported in TLS 1.2 or later.\n\n**Recommended Configuration (General Use):**\n- For general services (not bound by PCI-DSS), use the following configuration:\n    ```\n    SSLProtocol     all -SSLv3 -TLSv1 -TLSv1.1\n    SSLCipherSuite  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305\n    ```\n- After configuration, verify the SSL security status using [SSL Labs' SSL Test.](https://www.ssllabs.com/ssltest/)\n- Refer to [Mozilla's SSL Configuration Generator](https://ssl-config.mozilla.org/) for specific configurations based on your web server and OpenSSL version.\n\n## 9. Ensure Proper Permissions on SSL Certificate Files\nIn cases where a web service vulnerability allows remote access to web server permissions, attackers may attempt to access SSL certificate files, potentially leading to the exposure of the private key. If the SSL certificate's private key is leaked, an attacker could create a spoofed website that appears legitimate or use the key to distribute malware. This becomes especially dangerous when SSL certificate pinning is used, or if the certificate is a wildcard certificate, as it could necessitate replacing certificates across all servers and clients.\n\nEnsure that SSL certificate files are secured by verifying and applying proper file permissions.\n\n**Audit:**\n- Verify the file ownership and permissions for the `SSLCertificateFile`, `SSLCertificateKeyFile`, `SSLCertificateChainFile` files.\n    ```\n    [root@localhost ~]# vim /etc/httpd/httpd.conf\n    ...\n    \u003cVirtualHost *:443\u003e\n        ServerName example.com\n        DocumentRoot \"/var/www/example\"\n        SSLEngine on\n        SSLCertificateFile \"/etc/httpd/conf.d/cert/example.com_ssl.crt\"\n        SSLCertificateKeyFile \"/etc/httpd/conf.d/cert/example.com_ssl.key\"\n        SSLCertificateChainFile \"/etc/httpd/conf.d/cert/example.com_ssl-chain.crt\" \n        SSLProtocol     all -SSLv3 -TLSv1 -TLSv1.1\n        SSLCipherSuite  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305\n        SSLHonorCipherOrder on\n        \u003cDirectory \"/var/www/example\"\u003e\n            Options None\n            AllowOverride None\n            Require all granted\n        \u003c/Directory\u003e\n        ...\n    \u003c/VirtualHost\u003e\n    \n    [root@localhost ~]# ls -al /etc/httpd/conf.d/cert\n    total 12\n    drwxr-x---. 2 root root   64 Apr  8 14:47 .\n    drwxr-x---. 4 root root   68 Aug 12 11:06 ..\n    -rw-r--r--. 1 nobody root 7869 Apr  8 14:45 example.com_ssl.crt\n    -rw-r--r--. 1 nobody root 1679 Apr  8 14:44 example.com_ssl.key\n    -rw-r--r--. 1 nobody root 2279 Apr  8 14:49 example.com_ssl-chain.crt\n    ```\n\n**Remediation:**\n- Set the ownership of certificate and key files to `root:root`.\n- Adjust the file permissions to `600` or `400` to prevent leaked.\n    ```\n    [root@localhost ~]# chown root:root -R /etc/httpd/conf.d/cert/example.com_ssl.crt\n    [root@localhost ~]# chown root:root -R /etc/httpd/conf.d/cert/example.com_ssl-chain.crt\n    [root@localhost ~]# chown root:root -R /etc/httpd/conf.d/cert/example.com_ssl.key\n    \n    [root@localhost ~]# chmod 400 /etc/httpd/conf.d/cert/example.com_ssl.crt\n    [root@localhost ~]# chmod 400 /etc/httpd/conf.d/cert/example.com_ssl-chain.crt\n    [root@localhost ~]# chmod 400 /etc/httpd/conf.d/cert/example.com_ssl.key\n    ```\n\n## 10. Ensure Blocking of Arbitrary Host Connections Not Configured in the Web Server\n\nIn a typical web server configuration, if someone knows the server's IP address, they might still be able to access the web service without knowing the valid hostname (domain). By isolating and blocking access to requests made to non-service hosts, you can reduce unnecessary connections that shouldn't lead to your service, thereby reducing server load and improving performance.\n\nBlocking such arbitrary connections also enhances security by preventing various types of web service attacks, such as host header injection and IP address-based scanning.\n\nEnsure that your web server is configured to only respond to requests made to the correct service host, while blocking all others.\n\n\n**Audit:**\n- Verify that unknown host requests are accepting when accessing the web server.\n\n**(Vulnerable) Web server accepting connections with unknown host requests:**\n```\n[root@localhost ~]# curl -k -v https://192.168.130.23 -H 'Host: invalid.host.com'\n*   Trying 192.168.130.23:443...\n* Connected to 192.168.130.23 (192.168.130.23) port 443\n* ALPN: curl offers h2,http/1.1\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):\n* TLSv1.3 (IN), TLS handshake, Server hello (2):\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / prime256v1 / rsaEncryption\n* ALPN: server did not agree on a protocol. Uses default.\n* Server certificate:\n*  subject: CN=*.example.com\n*  start date: Jan  2 00:00:00 2024 GMT\n*  expire date: Jan 20 23:59:59 2025 GMT\n*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA\n*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption\n*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption\n*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption\n* using HTTP/1.x\n\u003e GET / HTTP/1.1\n\u003e Host: invalid.host.com\n\u003e User-Agent: curl/8.5.0\n\u003e Accept: */*\n\u003e\n\u003c HTTP/1.1 200 OK\n\u003c Date: Mon, 12 Aug 2024 05:35:40 GMT\n\u003c Server: Apache\n\u003c Cache-Control: no-cache, no-store, must-revalidate\n\u003c Expires: Thu, 01 Jan 1970 09:00:00 KST\n...\n```\n\n**(Not Vulnerable) Web server not accepting connections with unknown host requests:**\n```\n[root@localhost ~]# curl -k -v https://192.168.130.236 -H 'Host: invalid.host.com'\n*   Trying 192.168.130.236:443...\n* Connected to 192.168.130.236 (192.168.130.236) port 443 (#0)\n* ALPN: offers h2\n* ALPN: offers http/1.1\n* (304) (OUT), TLS handshake, Client hello (1):\n* (304) (IN), TLS handshake, Server hello (2):\n* (304) (IN), TLS handshake, Unknown (8):\n* (304) (IN), TLS handshake, Certificate (11):\n* (304) (IN), TLS handshake, CERT verify (15):\n* (304) (IN), TLS handshake, Finished (20):\n* (304) (OUT), TLS handshake, Finished (20):\n* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256\n* ALPN: server accepted http/1.1\n* Server certificate:\n*  subject: CN=*.example.com\n*  start date: Jan  2 00:00:00 2024 GMT\n*  expire date: Jan 20 23:59:59 2025 GMT\n*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA\n*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption\n*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption\n*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption\n* using HTTP/1.x\n\u003e GET / HTTP/1.1\n\u003e Host: invalid.host.com\n\u003e User-Agent: curl/7.84.0\n\u003e Accept: */*\n\u003e\n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 403 Forbidden\n\u003c Server: Apache\n\u003c Date: Mon, 12 Aug 2024 05:32:49 GMT\n\u003c Content-Type: text/html\n\u003c Content-Length: 162\n\u003c Connection: keep-alive\n\u003c\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\n\u003cbody bgcolor=\"white\"\u003e\n\u003ccenter\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\u003c/center\u003e\n\u003chr\u003e\u003ccenter\u003eapache\u003c/center\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n* Connection #0 to host 192.168.130.236 left intact\n```\n\n**Remediation:**\n- Create a virtual host that processes and blocks requests with host headers that do not match the intended service hosts.\n```\n[root@localhost ~]# vim /etc/httpd/httpd.conf\n...\nListen 80\nListen 443\n...\n\n# VirtualHost to handle and block requests with unmatched host headers\n\u003cVirtualHost _default_:80\u003e\n    ErrorLog /var/log/httpd/http.unknown-header.error.log\n    CustomLog /var/log/httpd/http.unknown-header.access.log combined\n    \u003cLocation /\u003e\n        Require all denied\n    \u003c/Location\u003e\n\u003c/VirtualHost\u003e\n\n\u003cVirtualHost _default_:443\u003e\n    SSLEngine on\n    SSLCertificateFile \"/etc/httpd/conf.d/cert/example.com_ssl.crt\"\n    SSLCertificateKeyFile \"/etc/httpd/conf.d/cert/example.com_ssl.key\"\n    SSLCertificateChainFile \"/etc/httpd/conf.d/cert/example.com_ssl-chain.crt\" \n    SSLProtocol     all -SSLv3 -TLSv1 -TLSv1.1\n    SSLCipherSuite  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305\n    SSLHonorCipherOrder on\n    ErrorLog /var/log/httpd/https.unknown-header.error.log\n    CustomLog /var/log/httpd/https.unknown-header.access.log combined\n    \u003cLocation /\u003e\n        Require all denied\n    \u003c/Location\u003e\n\u003c/VirtualHost\u003e\n\n\n# VirtualHost for the valid service hostname (example.com)\n\u003cVirtualHost *:80\u003e\n    DocumentRoot /var/www/example\n    ErrorLog /var/log/httpd/http.example.com.error.log\n    CustomLog /var/log/httpd/http.example.com.access.log combined\n    Redirect permanent / https://example.com/\n\u003c/VirtualHost\u003e\n\n\u003cVirtualHost *:443\u003e\n    ServerName example.com\n    DocumentRoot /var/www/example\n    SSLEngine on\n    SSLCertificateFile /etc/httpd/conf.d/cert/example.com_ssl.crt\n    SSLCertificateKeyFile /etc/httpd/conf.d/cert/example.com_ssl.key\n    SSLCertificateChainFile /etc/httpd/conf.d/cert/example.com_ssl.chain.crt\n    SSLProtocol TLSv1.2 TLSv1.3\n    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305\n    SSLHonorCipherOrder on\n    ErrorLog /var/log/httpd/https.example.com.error.log\n    CustomLog /var/log/httpd/https.example.com.access.log combined\n    ...\n    \u003cLocation /\u003e\n        Require all granted\n    \u003c/Location\u003e\n    ...\n\u003c/VirtualHost\u003e\n```\n\n**Notes:**\n- Ensuring that requests with incorrect host header are blocked is a critical part of web server security.\n- `Many web servers are not configured this way by default`, making this an essential configuration for system administrators to apply.\n\n## 11. Inspection and Control of Request Headers\nWeb servers can inspect and control request headers by identifying the presence of specific headers or their values. This can be useful for blocking access from certain sources, only allowing access to predefined user agents (such as specific mobile apps), or restricting access based on certain header values.\n\nCommon uses include allowing only certain clients, blocking search engine bots, and preventing access by publicly known attack tools used for security vulnerability scanning and abuse.\n\nHere are some examples of how you can implement request header inspection and control:\n\n**Blocking Access from Publicly Known Web Vulnerability Scanning Tools:**\n- You can configure your web server to block requests from known web vulnerability scanning tools, such as `Paros`, `ZmEu`, `nikto`, and others. This can be applied either globally to a virtual host or to specific URIs.\n\n(1) Blocking in the Entire Virtual Host\n  ```\n  [root@localhost ~]# vim /etc/httpd/httpd.conf\n  ...\n  \n  \u003cVirtualHost *:443\u003e\n      ServerName download.example.com\n      DocumentRoot /var/www/download.example.com\n      ...\n      # Block requests from known vulnerability scanning tools using User-Agent\n      SetEnvIfNoCase User-Agent \"Paros|ZmEu|nikto|dirbuster|sqlmap|openvas|w3af|Morfeus|Zollard|Arachni|Brutus|bsqlbf|Grendel-Scan|Havij|Hydra|N-Stealth|Netsparker|Pangolin|pmafind|webinspect\" bad_bot\n      \n      \u003cDirectory \"/var/www/download.example.com\"\u003e\n          Options None\n          AllowOverride None\n          Require all granted\n          # Deny access if User-Agent matches any of the blocked tools\n          \u003cIf \"%{ENV:bad_bot}\"\u003e\n              Require all denied\n          \u003c/If\u003e\n      \u003c/Directory\u003e\n      ...    \n  \u003c/VirtualHost\u003e\n  ```\n(2) Blocking for Specific URIs\n  ```\n  [root@localhost ~]# vim /etc/httpd/httpd.conf\n  ...\n  \n  \u003cVirtualHost *:443\u003e\n      ServerName download.example.com\n      DocumentRoot /var/www/download.example.com\n      ...\n      \n      # Block requests from known vulnerability scanning tools for /service URI\n      \u003cLocation \"/service\"\u003e\n          SetEnvIfNoCase User-Agent \"Paros|ZmEu|nikto|dirbuster|sqlmap|openvas|w3af|Morfeus|Zollard|Arachni|Brutus|bsqlbf|Grendel-Scan|Havij|Hydra|N-Stealth|Netsparker|Pangolin|pmafind|webinspect\" bad_bot\n          \n          # Deny access if User-Agent matches any of the blocked tools\n          \u003cIf \"%{ENV:bad_bot}\"\u003e\n              Require all denied\n          \u003c/If\u003e\n      \u003c/Location\u003e\n      \n      ...\n  \u003c/VirtualHost\u003e\n  ```\n\n**Header Inspection for Specific URL:**\n- You can also inspect the headers of specific URLs and enforce access controls based on header values. \n- For example, you can enforce the presence of an authorization header with a specific format, such as Bearer tokens, and deny access if the header is not present or incorrect.\n\n(1) Inspecting the Authorization Header for API Access\n```\n[root@localhost ~]# vim /etc/httpd/httpd.conf\n...\n\n\u003cVirtualHost *:443\u003e\n    ServerName download.example.com\n    \n    ...\n    \n    # Inspect the /api URL to check for the correct Authorization header\n    \u003cLocation /api\u003e\n        # Set environment variable if the Authorization header starts with \"Bearer\"\n        SetEnvIf Authorization \"^Bearer\" HAS_BEARER\n        \n        # Deny access and return 401 error if the Authorization header does not start with \"Bearer\"\n        \u003cIf \"%{env:HAS_BEARER} != '1'\"\u003e\n            Require all denied\n            ErrorDocument 401 \"Unauthorized: Bearer token required.\"\n        \u003c/If\u003e\n        \n        # If Bearer token is present, proxy the request to the backend application\n        ProxyPass \"http://app:3000/\"\n        ProxyPassReverse \"http://app:3000/\"\n    \u003c/Location\u003e\n    \n    ...\n\u003c/VirtualHost\u003e\n```\n\n---\n### Read Next\n- [Setup WordPress With Security Best Practice](https://github.com/password123456/setup-wordpress-with-security-best-practice)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpassword123456%2Fsetup-apache-http-server-with-shorts-security-best-practice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpassword123456%2Fsetup-apache-http-server-with-shorts-security-best-practice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpassword123456%2Fsetup-apache-http-server-with-shorts-security-best-practice/lists"}