STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

APACHE 2.2 Server for UNIX Security Technical Implementation Guide

Version

V1R11

Benchmark ID

APACHE_SERVER_2.2_UNIX

Total Checks

56

Tags

web
CAT I: 4CAT II: 46CAT III: 6

All directives specified in this STIG must be specifically set (i.e. the server is not allowed to revert to programmed defaults for these directives). Included files should be reviewed if they are used. Procedures for reviewing included files are included in the overview document. The use of .htaccess files are not authorized for use according to the STIG. However, if they are used, there are procedures for reviewing them in the overview document. The Web Policy STIG should be used in addition to the Apache Site and Server STIGs in order to do a comprehensive web server review.

Export CKLExport CSVExport JSON

Checks (56)

V-13613MEDIUMThe Web site software used with the web server must have all applicable security patches applied and documented.V-13620MEDIUMA private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.V-13621HIGHAll web server documentation, sample code, example applications, and tutorials must be removed from a production web server.V-13672MEDIUMThe private web server must use an approved DoD certificate validation process.V-13724MEDIUMThe Timeout directive must be properly set.V-13725MEDIUMThe KeepAlive directive must be enabled.V-13726MEDIUMThe KeepAliveTimeout directive must be defined.V-13727MEDIUMThe httpd.conf StartServers directive must be set properly.V-13728MEDIUMThe httpd.conf MinSpareServers directive must be set properly.V-13729LOWThe httpd.conf MaxSpareServers directive must be set properly.V-13730MEDIUMThe httpd.conf MaxClients directive must be set properly.V-13731MEDIUMAll interactive programs must be placed in a designated directory with appropriate permissions.V-13732MEDIUMThe "–FollowSymLinks” setting must be disabled.V-13733HIGHServer side includes (SSIs) must run with execution capability disabled.V-13734MEDIUMThe MultiViews directive must be disabled.V-13735MEDIUMDirectory indexing must be disabled on directories not containing index files.V-13736MEDIUMThe HTTP request message body size must be limited.V-13737MEDIUMThe HTTP request header fields must be limited.V-13738MEDIUMThe HTTP request header field size must be limited.V-13739MEDIUMThe HTTP request line must be limited.V-2225MEDIUMMIME types for csh or sh shell programs must be disabled.V-2230LOWBackup interactive scripts on the production web server are prohibited.V-2232MEDIUMThe web server password(s) must be entrusted to the SA or Web Manager.V-2234MEDIUMPublic web server resources must not be shared with private assets.V-2236MEDIUMInstallation of a compiler on production web server is prohibited.V-2242MEDIUMA public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.V-2243MEDIUMA private web server must be located on a separate controlled access subnet.V-2246HIGHWeb server software must be a vendor-supported version.V-2247HIGHAdministrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.V-2248MEDIUMWeb administration tools must be restricted to the web manager and the web manager’s designees.V-2251LOWAll utility programs, not necessary for operations, must be removed or disabled.V-2255MEDIUMThe web server’s htpasswd files (if present) must reflect proper ownership and permissionsV-2256MEDIUMThe access control files are owned by a privileged web server account.V-2257LOWAdministrative users and groups that have access rights to the web server must be documented.V-2259MEDIUMWeb server system files must conform to minimum file permission requirements.V-2261MEDIUMA public web server must limit email to outbound only.V-2271MEDIUMMonitoring software must include CGI or equivalent programs in its scope.V-26285MEDIUMActive software modules must be minimized.V-26287MEDIUMWeb Distributed Authoring and Versioning (WebDAV) must be disabled.V-26294MEDIUMWeb server status module must be disabled.V-26299MEDIUMThe web server must not be configured as a proxy server.V-26302MEDIUMUser specific directories must not be globally enabled.V-26305MEDIUMThe process ID (PID) file must be properly secured.V-26322MEDIUMThe score board file must be properly secured.V-26323MEDIUMThe web server must be configured to explicitly deny access to the OS root.V-26324MEDIUMWeb server options for the OS root must be disabled.V-26325MEDIUMThe TRACE method must be disabled.V-26326MEDIUMThe web server must be configured to listen on a specific IP address and port.V-26327MEDIUMThe URL-path name must be set to the file path name or the directory path name.V-26368MEDIUMAutomatic directory indexing must be disabled.V-26393MEDIUMThe ability to override the access configuration for the OS root directory must be disabled.V-26396MEDIUMHTTP request methods must be limited.V-60707MEDIUMThe web server must remove all export ciphers from the cipher suite.V-6485LOWWeb server content and configuration files must be part of a routine backup program.V-6577MEDIUMA web server must be segregated from other services.V-6724LOWWeb server and/or operating system information must be protected.