A web server with default settings is functional but not secure. This guide covers the practical hardening steps for Nginx and Apache (including LiteSpeed, which uses Apache-compatible configs) on a GoZen VPS. For platform-level protections, see GoZen Security.

These steps sit on top of your VPS security checklist and server hardening basics. If you haven’t done those yet, start there.

Hide Server Version Information

By default, web servers advertise their software and version in HTTP headers and error pages. Attackers use this to target known vulnerabilities.

  sudo nano /etc/nginx/nginx.conf

Add inside the http block:

  server_tokens off;
  
  sudo nginx -t && sudo systemctl reload nginx
  
  sudo nano /etc/apache2/conf-enabled/security.conf
  
  ServerTokens Prod
ServerSignature Off
TraceEnable Off
  
  sudo systemctl reload apache2

Add Security Headers

Security headers tell browsers how to handle your content. These protect against cross-site scripting, clickjacking, and data injection attacks.

Add to your server block or a shared snippets/security-headers.conf:

  # Prevent MIME type sniffing
add_header X-Content-Type-Options "nosniff" always;

# Block page embedding (prevents clickjacking)
add_header X-Frame-Options "SAMEORIGIN" always;

# Enable XSS filtering in older browsers
add_header X-XSS-Protection "1; mode=block" always;

# Control referrer information
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Restrict browser features
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# Force HTTPS for 1 year (only add after confirming SSL works)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

To share headers across all sites, create a snippet:

  sudo nano /etc/nginx/snippets/security-headers.conf
# Paste the headers above

# Then include in each server block:
# include snippets/security-headers.conf;

Enable the headers module:

  sudo a2enmod headers

Add to your virtual host or .htaccess:

  Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  
  sudo systemctl reload apache2

Verify Headers

After applying, test with:

  curl -I https://yourdomain.com

You should see all your security headers in the response.

Harden SSL/TLS Configuration

Default SSL settings often allow older, weaker protocols. Lock it down:

  sudo nano /etc/nginx/snippets/ssl-params.conf
  
  # Only allow TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;

# Use strong cipher suites
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

# SSL session optimization
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# DH parameters (generate with: sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048)
ssl_dhparam /etc/nginx/dhparam.pem;

Generate DH parameters (takes 1-2 minutes):

  sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048

Include in your server blocks:

  include snippets/ssl-params.conf;
  
  sudo nano /etc/apache2/conf-available/ssl-hardening.conf
  
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
  
  sudo a2enconf ssl-hardening
sudo systemctl reload apache2

Test your SSL grade at SSL Labs – aim for an A or A+.

Block Access to Sensitive Files

Prevent access to dotfiles, backups, and configuration files that should never be served:

  # Block hidden files (except .well-known for SSL verification)
location ~ /\.(?!well-known).* {
    deny all;
}

# Block backup and config files
location ~* \.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|env)$ {
    deny all;
}

# Block access to common framework directories
location ~ /(vendor|node_modules|storage/logs)/ {
    deny all;
}

In your virtual host or .htaccess:

  # Block hidden files
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Block sensitive file types
<FilesMatch "\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|env)$">
    Require all denied
</FilesMatch>

# Block directory listing
Options -Indexes

Disable Unnecessary HTTP Methods

Most websites only need GET, POST, and HEAD. Block the rest:

  if ($request_method !~ ^(GET|HEAD|POST)$) {
    return 405;
}
  
  <LimitExcept GET POST HEAD>
    Require all denied
</LimitExcept>

Rate Limiting

Protect against brute-force attacks and basic DDoS by limiting request rates:

Add to the http block in nginx.conf:

  # Define rate limit zones
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/s;

Apply to specific locations:

  # Protect login pages
location /wp-login.php {
    limit_req zone=login burst=3 nodelay;
    # ... rest of PHP handling
}

# Protect xmlrpc (or block it entirely)
location /xmlrpc.php {
    deny all;
}

Enable mod_ratelimit or use mod_evasive:

  sudo apt install libapache2-mod-evasive -y
sudo nano /etc/apache2/mods-enabled/evasive.conf
  
  <IfModule mod_evasive20.c>
    DOSHashTableSize    2048
    DOSPageCount        10
    DOSSiteCount        100
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   60
</IfModule>
  
  sudo systemctl reload apache2

Install ModSecurity (Web Application Firewall)

ModSecurity is an open-source WAF that filters malicious requests (SQL injection, XSS, path traversal):

  sudo apt install libmodsecurity3 libmodsecurity-dev -y

ModSecurity for Nginx requires compiling the Nginx connector module. For most users, a simpler approach is to add Cloudflare’s free WAF in front of your server. See How to Set Up Cloudflare.

If you need a local WAF, consider running Nginx with the OWASP CoreRuleSet via Docker.

  sudo apt install libapache2-mod-security2 -y
sudo a2enmod security2

# Enable the default recommended config
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo nano /etc/modsecurity/modsecurity.conf

Change:

  SecRuleEngine On

Install OWASP Core Rule Set:

  cd /tmp
git clone https://github.com/coreruleset/coreruleset.git
sudo mv coreruleset /etc/modsecurity/crs
sudo cp /etc/modsecurity/crs/crs-setup.conf.example /etc/modsecurity/crs/crs-setup.conf

Include the rules:

  sudo nano /etc/apache2/mods-enabled/security2.conf
  
  IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/rules/*.conf
  
  sudo systemctl restart apache2

Start with ModSecurity in DetectionOnly mode first (SecRuleEngine DetectionOnly). Watch the logs (/var/log/apache2/modsec_audit.log) for false positives before switching to On.

Quick Checklist

Hardening StepStatus
Server version hidden
Security headers added
SSL/TLS hardened (A+ on SSL Labs)
Sensitive files blocked
Unnecessary HTTP methods disabled
Rate limiting on login endpoints
xmlrpc.php blocked (WordPress)
WAF active (ModSecurity or Cloudflare)

Last updated 19 Apr 2026, 23:46 +0300. history

Was this page helpful?