STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 21 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Apache Server 2.4 UNIX Site Security Technical Implementation Guide

Version

V2R7

Release Date

May 23, 2026

SCAP Benchmark ID

Apache_Server_2-4_UNIX_Site_STIG

Total Checks

16

Tags

web
CAT I: 0CAT II: 15CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (16)

V-214280MEDIUMThe Apache web server must not perform user management for hosted applications.V-214282MEDIUMThe Apache web server must allow mappings to unused and vulnerable scripts to be removed.V-214284MEDIUMUsers and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.V-214286MEDIUMThe Apache web server must perform RFC 5280-compliant certification path validation.V-214287MEDIUMOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.V-214288MEDIUMCookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.V-214289MEDIUMThe Apache web server must augment re-creation to a stable and known baseline.V-214290MEDIUMThe Apache web server document directory must be in a separate partition from the Apache web servers system files.V-214292MEDIUMThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.V-214296MEDIUMThe Apache web server must set an inactive timeout for sessions.V-214297MEDIUMThe Apache web server must restrict inbound connections from nonsecure zones.V-214298MEDIUMNon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.V-214300MEDIUMThe Apache web server must only accept client certificates issued by DOD PKI or DoD-approved PKI Certification Authorities (CAs).V-214301MEDIUMThe Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.V-214303MEDIUMCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.V-214304LOWThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.