How to disable HTTP 1.0 protocol in Apache?

apache network-protocols http-1.0
user8079940 picture user8079940 · May 31, 2017 · Viewed 9k times · Source

HTTP 1.0 has security weakness related to session hijacking. I want to disable it on my web server.

Answer

hjpotter92 picture hjpotter92 · May 31, 2017

You can check against the SERVER_PROTOCOL variable in a mod-rewrite clause. Be sure to put this rule as the first one.

RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
RewriteCond %{REQUEST_URI} !^/path/to/403/document.html$
RewriteRule ^ - [F]

The additional negative check for !^/path/to/403/document.html$ is so that the forbidden page can be shown to the users. It would otherwise lead to a recursion.

Related questions

Error message "Forbidden You don't have permission to access / on this server"

I have configured my Apache by myself and have tried to load phpMyAdmin on a virtual host, but I received: 403 Forbidden You don't have permission to access / on this server My httpd.conf # # This is the main Apache HTTP server …

Read More
XAMPP, Apache - Error: Apache shutdown unexpectedly

I've just re-installed XAMPP, and when I try to start my Apache server in the XAMPP Control Panel, I now get the following errors: 16:50:25 [Apache] Status change detected: running 16:50:26 [Apache] Status change detected: stopped 16:50:26 [Apache] Error: Apache shutdown unexpectedly. 16:50:26 [Apache] …

Read More
How to enable mod_rewrite for Apache 2.2

I've got fresh install of Apache 2.2 on my Vista machine, everything works fine, except mod rewrite. I've uncommented LoadModule rewrite_module modules/mod_rewrite.s but none of my rewrite rules works, even simple ones like RewriteRule not_found %{DOCUMENT_…

Read More