Information
Restrict access to inappropriate file extensions that are not expected to be a legitimate part of web sites using the 'FilesMatch' directive.
Rationale:
There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing. Regardless of the reason for their creation, these files can still be served by Apache even when there is no hyperlink pointing to them. The web administrators should use the 'FilesMatch' directive to restrict access to only those file extensions that are appropriate for the web server. Rather than create a list of potentially inappropriate file extensions such as '.bak', '.config', '.old', etc, it is recommended instead that a white list of the appropriate and expected file extensions for the web server be created, reviewed and restricted with a 'FilesMatch' directive.
Solution
Perform the following to implement the recommended state:
1. Compile a list of existing file extension on the web server. The following 'find/awk' command may be useful, but is likely to need some customization according to the appropriate webroot directories for your web server. Please note that the find command skips over any files without a dot (.) in the file name, as these are not expected to be appropriate web content.
find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u
2. Review the list of existing file extensions, for appropriate content for the web server, remove those that are inappropriate and add any additional file extensions expected to be added to the web server in the near future.
3. Add the 'FilesMatch' directive below which denies access to all files by default.
# Block all files by default, unless specifically allowed.
Require all denied
4. Add another a 'FilesMatch' directive that allows access to those file extensions specifically allowed from the review process in step 2. An example 'FilesMatch' directive is below. The file extensions in the regular expression should match your approved list, and not necessarily the expression below.
# Allow files with specifically approved file extensions
# Such as (css, htm; html; js; pdf; txt; xml; xsl; ...),
# images (gif; ico; jpeg; jpg; png; ...), multimedia
Require all granted