Details
The Apache Options directive allows for specific configuration of options, including:
Execution of CGI
Following symbolic links
Server side includes
Content negotiation
Rationale:
The Options directive at the web root or document root level also needs to be restricted to the minimal options required. A setting of None is highly recommended, however it is recognized that this level content negotiation may be needed if multiple languages are supported. No other options should be enabled.
Solution
Perform the following to implement the recommended state:
Search the Apache configuration files (httpd.conf and any included configuration files) to find the document root
Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed.
. . .
Options None
. . .
Default Value:
The default value for the web root directory’s Option directive is FollowSymLinks.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.