| V-214277 | | The Apache web server must perform server-side session management. | Session management is the practice of protecting the bulk of the user authorization and identity information. This data can be stored on the client sy... |
| V-214278 | | The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided. | The Apache web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, and ... |
| V-214279 | | The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | Apache web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the ... |
| V-214280 | | The Apache web server must not perform user management for hosted applications. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user man... |
| V-214281 | | The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more function... |
| V-214282 | | The Apache web server must allow mappings to unused and vulnerable scripts to be removed. | Scripts allow server-side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Rem... |
| V-214283 | | The Apache web server must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-214284 | | Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-214285 | | The Apache web server must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, t... |
| V-214286 | | The Apache web server must perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-214287 | | Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt commun... |
| V-214288 | | Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user c... |
| V-214289 | | The Apache web server must augment re-creation to a stable and known baseline. | Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are u... |
| V-214290 | | The Apache web server document directory must be in a separate partition from the Apache web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted applica... |
| V-214291 | | The Apache web server must be tuned to handle the operational requirements of the hosted application. | A denial of service (DoS) can occur when the Apache web server is so overwhelmed that it can no longer respond to additional requests. A web server no... |
| V-214292 | | The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content d... |
| V-214293 | | Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths. | Information needed by an attacker to begin looking for possible vulnerabilities in an Apache web server includes any information about the Apache web ... |
| V-214294 | | Debugging and trace information used to diagnose the Apache web server must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the Apache web server a... |
| V-214295 | | The Apache web server must set an absolute timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-214296 | | The Apache web server must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-214297 | | The Apache web server must restrict inbound connections from nonsecure zones. | Remote access to the Apache web server is any access that communicates through an external, non-organization-controlled network. Remote access can be ... |
| V-214298 | | Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | By separating Apache web server security functions from non-privileged users, roles can be developed that can then be used to administer the Apache we... |
| V-214299 | | The Apache web server application, libraries, and configuration files must only be accessible to privileged users. | The Apache web server can be modified through parameter modification, patch installation, upgrades to the Apache web server or modules, and security p... |
| V-214300 | | The Apache web server must only accept client certificates issued by DOD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DOD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient ... |
| V-214301 | | The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed. | A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client return... |
| V-214303 | | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being display... |
| V-214304 | | The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the Apache web server to implement organization-wide security implementation guides and security checklists guarantees compliance with fed... |
