| V-214373 | | Anonymous user access to the Apache web server application directories must be prohibited. | To properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record ... |
| V-214396 | | An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidenti... |
| V-214362 | | The Apache web server must limit the number of allowed simultaneous session requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed ... |
| V-214363 | | The Apache web server must perform server-side session management. | Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the cl... |
| V-214364 | | The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events ... |
| V-214365 | | The Apache web server must not perform user management for hosted applications. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user man... |
| V-214366 | | The Apache web server must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-214367 | | The Apache web server must allow the mappings to unused and vulnerable scripts to be removed. | Scripts allow server-side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Rem... |
| V-214368 | | Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-214369 | | The Apache web server must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, t... |
| V-214370 | | The Apache web server must perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-214371 | | Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt commun... |
| V-214372 | | Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-214374 | | The Apache web server must separate the hosted applications from hosted Apache web server management functionality. | The separation of user functionality from web server management can be accomplished by moving management functions to a separate IP address or port. T... |
| V-214375 | | The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previo... |
| V-214376 | | Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user c... |
| V-214377 | | The Apache web server must accept only system-generated session identifiers. | Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or sessi... |
| V-214378 | | The Apache web server must generate unique session identifiers that cannot be reliably reproduced. | Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or sessi... |
| V-214379 | | The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. | Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing... |
| V-214380 | | The Apache web server must augment re-creation to a stable and known baseline. | Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are u... |
| V-214381 | | The Apache web server must be configured to provide clustering. | The web server may host applications that display information that cannot be disrupted, such as information that is time critical or life threatening.... |
| V-214382 | | The Apache web server document directory must be in a separate partition from the Apache web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted applica... |
| V-214383 | | The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content d... |
| V-214384 | | Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend... |
| V-214385 | | Debugging and trace information used to diagnose the Apache web server must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-214386 | | The Apache web server must set an absolute timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-214387 | | The Apache web server must set an inactive timeout for completing the TLS handshake. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-214388 | | The Apache web server must restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-214389 | | Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forc... |
| V-214390 | | The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-214391 | | The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD-approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient ... |
| V-214392 | | The Apache web server must be tuned to handle the operational requirements of the hosted application. | A denial of service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not prope... |
| V-214393 | | The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed. | A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client return... |
| V-214394 | | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side script... |
| V-214395 | | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being display... |
| V-214397 | | The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal st... |
