Module | Min. Apache V2 Version | Included | What does it do? | Reasons to include/exclude |
---|
Default | Most | Reallyall | Few |
---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
mod_access_compat | 2.4 | Yes |
|
| | Control access based on client hostname, IP address or other characteristics of client request |
|
mod_actions | 2.0 | No |
|
|
| Lets you run CGI scripts when a particular file or method is used in a request | Exclude if not using CGI scripts or have no need to execute scripts conditionally based on requests. XSS vulnerability considerations. If included, ensure request parameters are not considered when making decisions based on content type |
mod_alias | 2.0 |
|
|
|
| Used for simple URL manipulation tasks, including mapping URLs to filesystem paths and standard redirection. |
|
mod_allowmethods | 2.4 |
|
|
|
| Restricts what HTTP methods can be used on a server |
|
mod_asis | 2.0 |
|
|
|
| Allows you to send a document without adding the usual HTTP headers |
|
mod_auth_basic | 2.2 |
|
|
|
| Used to restrict access with HTTP Basic Auth. Should be combined with at least one authentication module and one authorization module. | If this type of authentication is required, it is nearly imperative to use SSL as passwords are sent as almost plain text (base4 encoded). |
mod_auth_digest | 2.0 |
|
|
|
| Used to implement HTTP Digest Auth. | If this type of authentication is required, it is nearly imperative to use SSL as an attacker can force the browser to downgrade to basic auth. The passwords are stored unsecurely on the server. |
mod_auth_form | 2.4 |
|
|
|
| Allows the use of an HTML login form to restrict access | Depends on mod_session modules and makes use of HTTP cookies, which is susceptible to XSS attacks. |
mod_authn_anon | 2.2 |
|
|
|
| Authentication - Provides anonymous user access to authenticated areas |
|
mod_authn_core | 2.4 |
|
|
|
| Authentication - Provides core authentication capabilities |
|
mod_authn_dbd | 2.2 |
|
|
|
| Authentication - Provides authentication against SQL tables |
|
mod_authn_dbm | 2.2 |
|
|
|
| Authentication - Provides authentication against dbm password files |
|
mod_authn_file | 2.2 |
|
|
|
| Authentication - Provides authentication against plain text password files |
|
mod_authn_socache | 2.4 |
|
|
|
| Authentication - Maintains shared object cache of authentication credentials |
|
mod_authnz_fcgi | 2.4[.10] |
|
|
|
| Authorization - FastCGI authorizer application |
|
mod_authnz_ldap | 2.2 |
|
|
|
| Authorization - Provides authorization through an LDAP directory |
|
mod_authz_core | 2.4 |
|
|
|
| Authorization - Provides core authorization capabilities |
|
mod_authz_dbd | 2.4 |
|
|
|
| Authorization - Provides group authorization based on SQL database |
|
mod_authz_dbm | 2.2 |
|
|
|
| Authorization - Provides group authorization based on dbm files |
|
mod_authz_groupfile | 2.2 |
|
|
|
| Authorization - Provides authorization against plain text files |
|
mod_authz_host | 2.4[.19] |
|
|
|
| Authorization - Provides authorization based host (name or IP) |
|
mod_authz_owner | 2.2 |
|
|
|
| Authorization - Provides authorization based on file ownership |
|
mod_authz_user | 2.2 |
|
|
|
| Authorization - Provides authorization based on authenticated user |
|
mod_autoindex | 2.0 |
|
|
|
| Generates directory indexes | Exclude in most cases. Be sure to disable index generation in Apache configuration as shown in Hardering section below. |
mod_brotli | 2.4[.26] |
|
|
|
| Compresses content using Brotli before its delivered to the client |
|
mod_buffer | 2.4 |
|
|
|
| Support for request buffering | Exclude in most cases. Reads the request into RAM and then repacks into fewest memory buckets possible. However, at the cost of CPU time. If request/response is already efficiently packed, this could have adverse affects on processing time. |
mod_cache | 2.0 |
|
|
|
| HTTP caching filter | If included be aware that CacheQuickHandler is on by default which circumvents Allow and Deny directives. |
mod_cache_disk | 2.4 |
|
|
|
| Disk based storage for mod_cache |
|
mod_cache_socache | 2.4 |
|
|
|
| Implements a shared object cache storage for mod_cache |
|
mod_cern_meta | 2.0 |
|
|
|
| Emulate CERN HTTPD Meta file semantics |
|
mod_cgi |
| Yes |
|
|
| Allows execution of cgi scripts | Exclude if not required. Considerations for exploits including ShellShock, etc. If invoking bash scripts, ensure bash version is > 4.3 |
mod_cgid | 2.0 |
|
|
|
| Allows execution of cgi scripts (used for certain Unix multi-threaded environments only) | Ibid. |
mod_charset_lite | 2.0 |
|
|
|
| Allows the server to change the character set of responses before sending them to the client i.e. if files are stored as EBCDIC, it can be translated to ISO |
|
mod_data | 2.4 |
|
|
|
| Converts response body into an RFC2397 data URL | Exclude if not required. XSS attacks have been reported in applications leveraging mod_data such as Moodle, etc. |
mod_dav | 2.0 |
|
|
|
| Enables creating, moving, copying, and deleting of resources and collections on a remote web server | This should be excluded unless absolutely necessary. DLL Hijack exploits, etc. are widely known/reported. If including, ensure the server is secure before enabling with some type of authentication. |
mod_dav_fs | 2.0 |
|
|
|
| Filesystem provider for mod_dav. Prerequisite is mod_dav. | Ibid. |
mod_dav_lock | 2.2 |
|
|
|
| Generic locking API used by backend provider for mod_dav. Prerequisite is mod_dav and backend provider such as mod_dav_svn | Ibid. |
mod_dbd | 2.2 |
|
|
|
| Enables APR to manage db connections | Exclude if not required. Considerations for SQL injection attacks especially when using third-party modules in conjunction. |
|
|
|
|
|
|
|
|