Hide The Apache Version Number And Other Sensitive Information.

	ServerSignature Off
	ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

	Server: Apache

Make Sure Apache Is Running Under Its Own User Account And Group

	User apache
	Group apache

Ensure That Files Outside The Web Root Are Not Served

	<Directory />
	  Order Deny,Allow
	  Deny from all
	  Options None
	  AllowOverride None
	</Directory>
	<Directory /web>
	  Order Allow,Deny
	  Allow from all
	</Directory>

Turn Off Directory Browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

	Options -Indexes

Turn Off Server Side Includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

	Options -Includes

Turn Off CGI Execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

	Options -ExecCGI

Don't Allow To Follow Symbolic Links

	Options -FollowSymLinks

Turning Off Multiple Options

	Options None

If you only want to turn off some separate each option with a space in your Options directive:

	Options -ExecCGI -FollowSymLinks -Indexes

Turn Off Support For .htaccess Files

This is done in a Directory tag but with the AllowOverride directive. Set it to None

	AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

	AccessFileName .httpdoverride
	<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	Satisfy All
	</Files>

Disable Any Unnecessary Modules

Go through the apache module documentation and learn what each module you have enabled actually does.
Here are some modules that are typically enabled but often not needed:

	mod_imap
	mod_include
	mod_info
	mod_userdi
	mod_statusr
	mod_cgi
	mod_autoindex

Make Sure Only Root Has Read Access To Apache's Config And Binaries

Aassuming your apache installation is located at /usr/local/apache as follows:

	# chown -R root:root /usr/local/apache
	# chmod -R o-rwx /usr/local/apache

Lower The Timeout Value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

	Timeout 45

Limit Large Requests

This can also be useful for mitigating the effects of a denial of service attack.
This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

	LimitRequestBody 1048576

If you're not allowing file uploads you can set it even smaller.

Limiting The Size Of An XML Body

If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

	LimitXMLRequestBody 10485760

Restricting Access By IP

Restrict access to your intranet to allow only the 176.16 network:

	Order Deny,Allow
	Deny from all
	Allow from 176.16.0.0/16

Or by IP:

	Order Deny,Allow
	Deny from all
	Allow from 127.0.0.1

Reference: http://www.petefreitag.com