Explore key practices in cross-site security and learn effective Apache server hardening techniques. This quiz helps you identify common vulnerabilities and understand secure server configurations to protect web applications.
Which practice helps prevent Cross-Site Scripting (XSS) attacks when users submit text comments on a website?
Explanation: Escaping user input ensures that any potentially harmful code is treated as text and not executed, effectively preventing XSS attacks. Storing input in plain text or allowing all HTML tags may allow malicious scripts to run. Disabling HTTPS does not address XSS and weakens general security.
What HTTP header can be added in Apache to prevent web pages from being embedded in iframes, protecting against clickjacking?
Explanation: The X-Frame-Options header instructs browsers not to display content within an iframe or frame, providing protection against clickjacking attacks. Allow-Methods controls request methods, X-Content-Type is invalid (the correct header is X-Content-Type-Options), and Set-Cookie manages cookies, not frames.
Which file permission setting is generally safest for website files on an Apache server?
Explanation: Limiting permissions to read-only for the owner and denying others access helps prevent unauthorized changes. Giving full permissions to everyone or group increases security risks, and denying the owner access can prevent legitimate administration.
Why is it important to disable unused Apache modules, such as the example 'autoindex' module?
Explanation: Disabling unused modules removes functions that could be exploited, reducing potential vulnerabilities. Speed benefits are secondary; public indexing is unrelated, and module status does not affect HTTPS certificate validity.
Which method helps to protect web forms from Cross-Site Request Forgery (CSRF) attacks?
Explanation: CSRF tokens are unique values that verify legitimate form submissions and prevent unauthorized requests. Error pages do not stop CSRF, allowing anonymous uploads can increase risk, and password complexity does not address CSRF.
What is the effect of disabling directory listing in Apache’s configuration?
Explanation: Disabling directory listing means users cannot see a list of files in directories without an index file, making it harder to discover sensitive files. It does not block all traffic or encrypt data by itself, nor does it force all requests to redirect.
Which directive in a .htaccess file can help restrict access to certain directories based on IP address?
Explanation: The 'Allow from' directive specifies which IP addresses are permitted, adding a layer of access control. IndexIgnore hides files in listings but does not restrict access, RewriteRule is for URL rewrites, and 'User-Agent' alone does not enforce access restrictions.
What does adding the header 'X-Content-Type-Options: nosniff' to Apache accomplish?
Explanation: The 'nosniff' option stops browsers from trying to infer MIME types, which can prevent certain attacks. It doesn't block all scripts, perform backups, or change image display behavior.
Which flag should be set on cookies to help protect them from being accessed by client-side scripts?
Explanation: The HttpOnly flag restricts access to cookies from client-side scripts, helping mitigate risks like XSS. Max-Speed and CSS-Only are not standard cookie options, while Cache-Control manages caching, not cookie security.
Why is regularly updating your Apache server software considered a crucial security practice?
Explanation: Updating your server software promptly patches known vulnerabilities, reducing exposure to threats. Speed increases, log erasure, or module disabling are not assured outcomes of software updates and don't directly address security vulnerabilities.