There are many things you can do to make your apache configuration more secure. Here are some "do"s - and "don't"s.
Make sure you've installed latest security patches
There is no sense in putting locks on the windows, if your door is wide open.
Protect the files outside the web root
You don't want apache to have access to anywhere of your system, right? Then set it up as follows:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>
Protect system settings
To run a really tight ship, you'll want to stop users from setting up .htaccess files which can override security features you've configured. Here's one way to do it.
<Directory /var/www>
AllowOverride None
</Directory>
Turn off directory browsing
List the files and directories under a directory is really not good. It should be disabled.
Options -Indexes
Lower the Timeout value
The default Timeout directive is 300 seconds. You can decrease that value to something shorter like:
Timeout 45
