Apache httpd で基本的なセキュリティ設定 (2018年10月 更新)
# サーバー情報の秘匿と TRACEメソッドの無効化
ServerTokens Prod
ServerSignature Off
TraceEnable Off
# RequestReadTimeout header=10 body=30
SetEnv proxy-nokeepalive 1
FileETag None
# 無駄な言語情報の秘匿
Header unset "X-Powered-By"
# httpoxy 対策
RequestHeader unset Proxy
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
#
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
# クリックジャッキング対策
Header append X-Frame-Options SAMEORIGIN
# XSS対策
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
# DoS 攻撃対策
LimitRequestBody 10485760
LimitRequestFields 20
# slowloris 対策
# RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500