Securing Apache - security.conf

Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf:

ServerTokens Full
ServerSignature On
TraceEnable Off
FileETag None
# Do Header stuff
Header unset Pragma
Header unset ETag
Header always set x-xss-protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header set Referrer-Policy "no-referrer"
<IfModule mod_ssl.c>
 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 SSLCipherSuite HIGH:!MEDIUM:!RSA:!aNULL:!MD5:!SEED:!IDEA
 SSLProtocol ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
 SSLHonorCipherOrder On
</IfModule>
<IfModule security2_module>
 SecServerSignature "web"
 Include /usr/share/modsecurity-crs/*.conf
 Include /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>