STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Apache Server 2.4 UNIX Site Security Technical Implementation Guide

Version

V2R6

Benchmark ID

Apache_Server_2-4_UNIX_Site_STIG

Total Checks

27

Tags

web
CAT I: 0CAT II: 26CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (27)

V-214277MEDIUMThe Apache web server must perform server-side session management.V-214278MEDIUMThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.V-214279MEDIUMThe Apache web server must produce log records containing sufficient information to establish what type of events occurred.V-214280MEDIUMThe Apache web server must not perform user management for hosted applications.V-214281MEDIUMThe Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.V-214282MEDIUMThe Apache web server must allow mappings to unused and vulnerable scripts to be removed.V-214283MEDIUMThe Apache web server must have resource mappings set to disable the serving of certain file types.V-214284MEDIUMUsers and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.V-214285MEDIUMThe Apache web server must be configured to use a specified IP address and port.V-214286MEDIUMThe Apache web server must perform RFC 5280-compliant certification path validation.V-214287MEDIUMOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.V-214288MEDIUMCookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.V-214289MEDIUMThe Apache web server must augment re-creation to a stable and known baseline.V-214290MEDIUMThe Apache web server document directory must be in a separate partition from the Apache web servers system files.V-214291MEDIUMThe Apache web server must be tuned to handle the operational requirements of the hosted application.V-214292MEDIUMThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.V-214293MEDIUMWarning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.V-214294MEDIUMDebugging and trace information used to diagnose the Apache web server must be disabled.V-214295MEDIUMThe Apache web server must set an absolute timeout for sessions.V-214296MEDIUMThe Apache web server must set an inactive timeout for sessions.V-214297MEDIUMThe Apache web server must restrict inbound connections from nonsecure zones.V-214298MEDIUMNon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.V-214299MEDIUMThe Apache web server application, libraries, and configuration files must only be accessible to privileged users.V-214300MEDIUMThe Apache web server must only accept client certificates issued by DOD PKI or DoD-approved PKI Certification Authorities (CAs).V-214301MEDIUMThe Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.V-214303MEDIUMCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.V-214304LOWThe Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.