| V-214365 | | The Apache web server must not perform user management for hosted applications. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user man... |
| V-214367 | | The Apache web server must allow the mappings to unused and vulnerable scripts to be removed. | Scripts allow server-side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Rem... |
| V-214368 | | Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-214371 | | Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt commun... |
| V-214372 | | Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-214374 | | The Apache web server must separate the hosted applications from hosted Apache web server management functionality. | The separation of user functionality from web server management can be accomplished by moving management functions to a separate IP address or port. T... |
| V-214376 | | Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user c... |
| V-214380 | | The Apache web server must augment re-creation to a stable and known baseline. | Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are u... |
| V-214382 | | The Apache web server document directory must be in a separate partition from the Apache web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted applica... |
| V-214383 | | The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content d... |
| V-214388 | | The Apache web server must restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to... |
| V-214389 | | Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forc... |
| V-214390 | | The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-214394 | | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side script... |
| V-214395 | | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being display... |
| V-214373 | | Anonymous user access to the Apache web server application directories must be prohibited. | To properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record ... |
