A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.

The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Review all pre-installed content and remove content that is not required. In particular, look for the unnecessary content that may be found in the document root directory, a configuration directory such as conf/extra directory, or as a UNIX/Linux package

Remove the default index.html or welcome page if it is a separate package. If the default welcome page is part of the main Apache httpd package as it is on Red Hat Linux, comment out the configuration as shown below. Removing a file such as the 'welcome.conf' is not recommended as it may be replaced if the package is updated.

# This configuration file enables the default 'Welcome'
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
##<LocationMatch '^/+$'>
## Options -Indexes
## ErrorDocument 403 /error/noindex.html

Remove the Apache User Manual content or comment out configurations referencing the manual:

# yum erase httpd-manual

Remove or comment out any Server Status handler configuration:

# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the '' to match your domain to enable.
##<Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from

Remove or comment out any Server Information handler configuration:

# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the '' to match your domain to enable.
##<Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from

Remove or comment out any other handler configuration such as perl-status:

# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the '' to match your domain to enable.
##<Location /perl-status>
## SetHandler perl-script
## PerlResponseHandler Apache2::Status
## Order deny,allow
## Deny from all
## Allow from

The default source build provides extra content available in the /usr/local/apache2/conf/extra/ directory, but the configuration of most of the extra content is commented out by default. In particular, the inclusion of conf/extra/proxyhtml.conf is not commented out in 'httpd.conf':

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
#Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

For applications developed in-house, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software or accessible in the production environment.

