| AS24-W1-000010 - The Apache web server must limit the number of allowed simultaneous session requests. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| AS24-W1-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000180 - The Apache web server log files must only be accessible by privileged users. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly secure | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000670 - The Apache web server must restrict inbound connections from nonsecure zones. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| AS24-W1-000680 - The Apache web server must be configured to immediately disconnect or disable remote access to the hosted applications. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| AS24-W1-000690 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| AS24-W1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000760 - The Apache web server must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) with a minimum granularity of one second - LogFormat %t | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000930 - The Apache web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| AS24-W1-000940 - All accounts installed with the Apache web server software and tools must have passwords assigned and default passwords changed. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WWA022 W22 - The KeepAlive directive must be enabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - '-ExecCGI' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WWA050 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. - 'SetHandler' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WWA052 W22 - The FollowSymLinks setting must be disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WWA054 W22 - Server side includes (SSIs) must run with execution capability disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA000-WWA064 W22 - The HTTP request header field size must be limited. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA070 W22 - A private web server must be located on a separate controlled access subnet. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WA00545 W22 - Web server options for the OS root must be disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen 80 does not exists' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WA00615 W22 - System logging must be enabled. - 'CustomLog' | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | AUDIT AND ACCOUNTABILITY |
| WG080 A22 - Installation of a compiler on production web server is prohibited. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG130 W22 - All utility programs, not necessary for operations, must be removed or disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WG170 A22 - Each readable web document directory must contain either a default, home, index, or equivalent file. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | |
| WG204 W22 - A web server installation must be segregated from other services. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG235 W22 - Web Administrators must only use encrypted connections for Document Root directory uploads. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
| WG240 W22 - Logs of web server access and errors must be established and maintained. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WG242 A22 - Log file data must contain required data elements. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| WG250 W22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WG255 W22 - Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | |
| WG260 W22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
| WG280 - The access control files are owned by a privileged web server account - HTACCESS_DIR | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias match | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WG310 A22 - A web site must not contain a robots.txt file | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WG310 A22 - A web site must not contain a robots.txt file - document root | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WG310 W22 - A web site must not contain a robots.txt file. - 'DocumentRoot' | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WG345 A22 - The web server must remove all export ciphers from the cipher suite. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG350 A22 - A private web server will have a valid DoD server certificate. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | ACCESS CONTROL |
| WG430 A22 - Anonymous FTP user access to interactive scripts is prohibited. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG470 W22 - Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. - 'Cscript.exe' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - cgi-bin | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - html | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'Alias - *.jpp' | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WG610 W22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
