Nikto Apache Findings

by Vince
in Blog
Hits: 2136

AWS Lightsail makes it (too) easy to fire up a new server, install an application, and let it loose on the Internet.  You have to learn somewhere and that's as good as any place but let's do a little housecleaning on the default apache2.conf file.  

If we scan our stock apache server, we get some errors:

+ Server leaks inodes via ETags, header found with file /, fields: 0xb3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

From what I understand the first error can be a false positive and is most likely harmless.  We're going to fix this one anyway.

The second error is real and poses a threat to your visitors.  Essentially, an attacker can create a transparent overlay over a clickable item.  When the visitor clicks on the page, they think they are clicking the link on your site but they are actually clicking a link elsewhere.

The third is stating that cross-site scripting prevention is not present.

The fourth item is stating that our site is using an SSL certificate but we're not forcing browser communication over HTTPS.

And our final item is interesting in that the browser might try to guess the file type regardless of what the web server claims to be hosting.  For example, the file type could be .html but the content could actually be an executable.  During the download, the browser could recognize the executable code and attempt to execute it.  Our change will tell the browser to treat the download like the file type it was claiming to be.

The simplest way I've used is to resolve these findings is by modifying /etc/apache2/apache2.conf but first we need to enable apache mod_headers.  From the command line, run the following:

sudo a2enmod headers

You'll see a message about restarting apache, you can ignore that -- we'll be restarting apache in a moment.

Next we're going to edit the apache2.conf file:

nano, vim, whatever your favorite editor:

sudo nano /etc/apache2/apache2.conf

Scroll to the bottom and add the following:

Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
FileETag None

The second to the last item has a max-age which I've read should be reduced from what you see -- in case there's a mistake.  I guess if you set this and there's a problem, the problem might not get resolved for a long time.  You could set it for 24 hours (86400) to be sure there aren't any issues.  I haven't had any issues as of yet but I felt the need to point it out since it was something I'd seen along the way.

With the above changes in place, restart apache:

sudo service apache2 restart

You shouldn't see any errors at which point, let's make sure the site is working.  If so, re-scan your server and the above errors should all be cleared.