You will find below some of the main best practices related to web-server (Apache/IIS) configuration.
Change default error pages.
Disable old SSL version and ciphers:
On Apache, edit /etc/apache2/mods-available/ssl.conf. Here is an example:
On IIS (see the documentation), perform the following configuration:
Add registry subkey in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:
SCHANNEL\Protocols\TLS 1.2\Client
SCHANNEL\Protocols\TLS 1.2\Server
Disable SSL x.0
SCHANNEL\Protocols\SSL 3.0\Client: DisabledByDefault: DWORD (32-bit) Value to 1
SCHANNEL\Protocols\SSL 3.0\Server: Enabled: DWORD (32-bit) Value to 0
Remove the TRACE method:
On Apache, edit in /etc/apache2/conf.d/security: TraceEnable Off
On IIS (see the documentation), perform the following configuration:
Remove the banner:
On Apache, edit /etc/apache2/conf.d/security:
On IIS, perform the following configuration:
Limit query size to prevent important files from being uploaded:
On Apache, add the LimitRequestBody directive (size in bytes) in / directory.
<Directory />
Options FollowSymLinks
AllowOverride None
LimitRequestBody 10485760
</Directory>
On IIS (see the documentation), set the maxAllowedContentLength (maximum allowed content length) in the content filtering options.
Related topics: