5.9 Ensure Old HTTP Protocol Versions Are Disallowed - RewriteRule

Information

The Apache modules mod_rewrite or mod_security can be used to disallow old and invalid HTTP protocols versions. The HTTP version 1.1 RFC is dated June 1999 and has been supported by Apache since version 1.2. It should no longer be necessary to allow ancient versions of HTTP such as 1.0 and prior.

Rationale:

Many malicious automated programs, vulnerability scanners and fingerprinting tools will send abnormal HTTP protocol versions to see how the web server responds. These requests are usually part of the attacker's enumeration process and therefore it is important that we respond by denying these requests.

Solution

Perform the following to implement the recommended state:

Load the mod_rewrite module for Apache by doing either one of the following:

Build Apache with mod_rewrite statically loaded during the build, by adding the --enable-rewrite option to the ./configure script.

./configure --enable-rewrite.

Or, dynamically loading the module with the LoadModule directive in the httpd.conf configuration file.

LoadModule rewrite_module modules/mod_rewrite.so

Locate the main Apache configuration file such as httpd.conf and add the following rewrite condition to match HTTP/1.1 and the rewrite rule to the global server level configuration to disallow other protocol versions.

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

By default, mod_rewrite configuration settings from the main server context are not inherited by virtual hosts. Therefore, it is also necessary to add the following directives in each section to inherit the main server settings.

RewriteEngine On
RewriteOptions Inherit

Default Value:

The default value for the RewriteEngine directive is off.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|SC-23, CSCv7|9.2

Plugin: Unix

Control ID: da359d792330aa6d5f786bc8da32698a6a3e6517c461fd02d2890af47da13e4e