How to disable HTTP 1.0 protocol in Apache?

user8079940 picture user8079940 · May 31, 2017 · Viewed 9k times · Source

HTTP 1.0 has security weakness related to session hijacking. I want to disable it on my web server.

Answer

hjpotter92 picture hjpotter92 · May 31, 2017

You can check against the SERVER_PROTOCOL variable in a mod-rewrite clause. Be sure to put this rule as the first one.

RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
RewriteCond %{REQUEST_URI} !^/path/to/403/document.html$
RewriteRule ^ - [F]

The additional negative check for !^/path/to/403/document.html$ is so that the forbidden page can be shown to the users. It would otherwise lead to a recursion.