I would like to enhance the security of my server, so I'm following a guide regarding server security. I'm new to the subject, therefore there are many things I struggle to understand and there is much to change in the configuration files.
At the moment, I am trying to set cookies with HttpOnly and Secure flags and unset the X-Powered-By header, therefore I added these directives /etc/apache2/conf-enabled/security.conf:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always unset X-Powered-By
In order to test the directive, I created a simple PHP file where I set a cookie and the header, but what I receive is neither HttpOnly nor Secure, moreover I'm still receiving the header.
There's a headers.load file inside the mods-enabled folder, I also checked whether mod_headers was enabled with apache2ctl -M, which returned (among the others)
headers_module (shared)
I even tried to manually load the module with LoadModule and logs told me the module was already enabled, so I guess everything is fine on that side.
Please note that I have a virtual host configured as:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.org/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
</IfModule>
On the basis of what I've read on the docs, it should inherit the server configuration where not specified otherwise, anyway I tried placing those directives in the VirtualHost configuration and nothing worked.
I'm using Apache/2.4.29, my configuration file is /etc/apache2/apache2.conf. I'm sure I'm making stupid mistakes, but as I said I'm a novice!
Thanks a lot for your help.
