This article lists some sensible configuration defaults for Apache 2.4 on a Ubuntu 16.04 server. It explains how to apply these globally at the server level.
Objectives:
Prevent the Apache server signature that is printed as part of a web request - this is not needed and gives would-be hackers info about your server
Prevent direct access to certain files (e.g. .git, .json, .sql)
Prevent directory browsing - don’t allow random strangers to sniff out your directory structure
Disallow Apache overrides at the directory level (e.g. disallow config .htaccess files)
Note that if you disallow .htaccess files you’ll probably need to include suitable rewrite rules in each site’s Apache virtual host configuration. This is not only slightly more secure, it should be faster.
Global Apache Config
Open the Apache config file:
Make the following changes:
Prevent Embedding and Sniffing
Set headers for all files served:
NOSNIFF header prevents IE mime-sniffing files
SAMEORIGIN header prevents embedding of content in different site
Note this modification will cause Apache to fail unless the headers module is enabled:
Add the following to /etc/apache2/conf-enabled/security.conf:
Prevent Directory Browsing
Open the relevant config file for editing:
Remove/Comment out:
Add this block:
…restart Apache:
Your Apache server should now be a bit more secure. The configuration settings have been applied globally - rather than in numerous .htaccess files at the directory level.