Web Server Security Audit

What We Check

A Web Server Security Audit reviews the configuration and security of your web server software, SSL/TLS setup, PHP environment and related components. We identify misconfigurations, information leaks and weaknesses that expose your server to attack.

Our audit covers:

• Web server configuration — Apache, Nginx or LiteSpeed main configuration, module loading, process limits, timeout settings
• Virtual hosts — per-site configuration, isolation between sites, document root permissions, access controls
• SSL/TLS — certificate validity, chain completeness, protocol versions (TLS 1.2/1.3), cipher suites, HSTS, OCSP stapling
• HTTP security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• Directory listing — autoindex enabled on directories that should not be browsable
• Server information exposure — ServerTokens, ServerSignature, Nginx server_tokens, version disclosure in headers and error pages
• PHP configuration — expose_php, display_errors, allow_url_include, disabled functions, open_basedir, session security, upload limits
• File permissions — web-accessible configuration files, writable directories, ownership issues, sensitive files in document roots
• .htaccess review — rewrite rules, access restrictions, authentication configurations, conflicting directives
• ModSecurity / WAF — rule set presence, mode (detection vs. blocking), false positive tuning, coverage
• Rate limiting — connection limits, request rate controls, slowloris protection, DDoS mitigation at the web server level
• Access logs — log format, retention, signs of scanning, brute force, exploitation attempts, suspicious user agents

Common Issues We Find

• SSL/TLS configured with outdated protocols (TLS 1.0/1.1) or weak cipher suites
• Security headers missing or incorrectly configured
• PHP display_errors enabled in production, exposing file paths and database details
• Directory listing enabled on upload or backup directories
• Server version fully disclosed in response headers and error pages
• .htpasswd, .env, .git or backup files accessible via the web
• ModSecurity installed but running in detection-only mode
• Virtual hosts sharing the same user, allowing cross-site access
• No rate limiting, leaving the server open to brute force and scraping

What You Receive

• A detailed web server security report covering all areas listed above
• SSL/TLS assessment with grade and specific improvement recommendations
• Risk-rated findings with severity levels
• Remediation instructions for each finding, including configuration examples
• Follow-up consultation to discuss findings and implementation priorities

Related Services

• Linux Server Audit — full server security audit covering the web server as part of a broader review
• Server Hardening Review — hardening review including service minimization and access controls
• Exposed Services Audit — audit of all publicly exposed services and attack surface

For application-level security reviews, penetration testing or cloud-hosted web infrastructure audits, see YourInfraAudit.com.

Get Started

Review our pricing or contact us to schedule a web server security audit.