Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip Thank the US tax payers =) Regards, Steve On Fri, May 30, 2014 at 12:31 PM, Felix Almeida < felix.alme...@rci.rogers.com> wrote: > Hello, > > > > I was assigned with the task of preparing a security policy for Apache > HTTP servers in my company and, despite I have a few years of experience > with it (mostly v2.2), I’d like to have a more formal reference material on > which I could base the policy. > > > > Please, is there any good (and not so old) book on Apache security out > there that you would recommend? > > > > I know there is a lot of information on this subject on the net, but as > far as I could see they only cover the basics like not using privileged ID, > locking down the binaries, logs and directories, .htaccess files, not > allowing CGI scripts, etc., which I already know. I’m looking for a book > that could cover the basics plus more advanced configurations, again mainly > for v2.2 and perhaps also for 2.4. > > > > Thank you!! > > > > > > > ------------------------------ > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels > se fait strictement suivant les modalités énoncées dans l’avis publié à > www.rogers.com/aviscourriel > > ------------------------------ >