There are lots of way to increase the security on the Apache Web Server.For serious applications, use the
But before you start, if a web application is involved, I recommend completing the setup of your application first, verify the core functions work and then carefully apply each security setting and test at intervals.
Use the Center for Internet Security Security and search "apache benchmark" and look for your version of Apache to get hardening documentation.
I'll create my own abridged version in the future with additional perspective of impact to web applications.
Disable Etag Header
Etag (entity tag) was introduced to help improve caching. However, besides not being very effective in an enterprise clusters environments), it also provides sensitive information like inode number, multipart MIME boundary and child processes. It allows hackers to uniquely identify a particular server.
Unless you have a compelling reason you may,
- Disable etag - rely on the default Expire or Cach-Control header information.
- Minimally disable INode
... to fill out