Page History

...

Expand

title	Click here to see a description of each module

Here

Module

Min. Apache V2 Version

Included

What does it do?

Reasons to include/exclude

Default

Most

Reallyall

Few

mod_access_compat

2.4

Yes

Status

colour	Green
title	YES

Control access based on client hostname, IP address or other characteristics of client request

mod_actions

2.0

No

Lets you run CGI scripts when a particular file or method is used in a request

Exclude if not using CGI scripts or have no need to execute scripts conditionally based on requests. XSS vulnerability considerations. If included, ensure request parameters are not considered when making decisions based on content type

mod_alias

2.0

Used for simple URL manipulation tasks, including mapping URLs to filesystem paths and standard redirection.

mod_allowmethods

2.4

Restricts what HTTP methods can be used on a server

mod_asis

2.0

Allows you to send a document without adding the usual HTTP headers

mod_auth_basic

2.2

Used to restrict access with HTTP Basic Auth. Should be combined with at least one authentication module and one authorization module.

If this type of authentication is required, it is nearly imperative to use SSL as passwords are sent as almost plain text (base4 encoded).

mod_auth_digest

2.0

Used to implement HTTP Digest Auth.

If this type of authentication is required, it is nearly imperative to use SSL as an attacker can force the browser to downgrade to basic auth. The passwords are stored unsecurely on the server.

mod_auth_form

2.4

Allows the use of an HTML login form to restrict access

Depends on mod_session modules and makes use of HTTP cookies, which is susceptible to XSS attacks.

mod_authn_anon

2.2

Authentication - Provides anonymous user access to authenticated areas

mod_authn_core

2.4

Authentication - Provides core authentication capabilities

mod_authn_dbd

2.2

Authentication - Provides authentication against SQL tables

mod_authn_dbm

2.2

Authentication - Provides authentication against dbm password files

mod_authn_file

2.2

Authentication - Provides authentication against plain text password files

mod_authn_socache

2.4

Authentication - Maintains shared object cache of authentication credentials

mod_authnz_fcgi

2.4[.10]

Authorization - FastCGI authorizer application

mod_authnz_ldap

2.2

Authorization - Provides authorization through an LDAP directory

mod_authz_core

2.4

Authorization - Provides core authorization capabilities

mod_authz_dbd

2.4

Authorization - Provides group authorization based on SQL database

mod_authz_dbm

2.2

Authorization - Provides group authorization based on dbm files

mod_authz_groupfile

2.2

Authorization - Provides authorization against plain text files

mod_authz_host

2.4[.19]

Authorization - Provides authorization based host (name or IP)

mod_authz_owner

2.2

Authorization - Provides authorization based on file ownership

mod_authz_user

2.2

Authorization - Provides authorization based on authenticated user

mod_autoindex

2.0

Generates directory indexes

Unnecessary

Exclude in most cases. Be sure to disable index generation in Apache configuration as shown in Hardering section below.
mod_brotli	2.4[.26]		Compresses content using Brotli before its delivered to the client
mod_buffer	2.4		Support for request buffering	Exclude in most cases. Reads the request into RAM and then repacks into fewest memory buckets possible. However, at the cost of CPU time. If request/response is already efficiently packed, this could have adverse affects on processing time.
mod_cache	2.0		HTTP caching filter	If included be aware that CacheQuickHandler is on by default which circumvents Allow and Deny directives.
mod_cache_disk	2.4		Disk based storage for mod_cache
mod_cache_socache	2.4		Implements a shared object cache storage for mod_cache
mod_cern_meta	2.0		Emulate CERN HTTPD Meta file semantics
mod_cgi		Yes	Allows execution of cgi scripts	Exclude if not required. Considerations for exploits including ShellShock, etc. If invoking bash scripts, ensure bash version is > 4.3
mod_cgid	2.0		Allows execution of cgi scripts (used for certain Unix multi-threaded environments only)	Ibid.
mod_charset_lite	2.0		Allows the server to change the character set of responses before sending them to the client i.e. if files are stored as EBCDIC, it can be translated to ISO
mod_data	2.4		Converts response body into an RFC2397 data URL	Exclude if not required. XSS attacks have been reported in applications leveraging mod_data such as Moodle, etc.
mod_dav	2.0		Enables creating, moving, copying, and deleting of resources and collections on a remote web server	This should be excluded unless absolutely necessary. DLL Hijack exploits, etc. are widely known/reported. If including, ensure the server is secure before enabling with some type of authentication.
mod_dav_fs	2.0		Filesystem provider for mod_dav. Prerequisite is mod_dav.	Ibid.
mod_dav_lock	2.2		Generic locking API used by backend provider for mod_dav. Prerequisite is mod_dav and backend provider such as mod_dav_svn	Ibid.
mod_dbd	2.2		Enables APR to manage db connections	Exclude if not required. Considerations for SQL injection attacks especially when using third-party modules in conjunction.

Page tree

Versions Compared

Old Version 46

New Version 47

Key