# Deny all requests from Apache 2.4+.

[0] Fix | Delete

<IfModule mod_authz_core.c>

[1] Fix | Delete

Require all denied

[2] Fix | Delete

</IfModule>

[3] Fix | Delete

[4] Fix | Delete

# Deny all requests from Apache 2.0-2.2.

[5] Fix | Delete

<IfModule !mod_authz_core.c>

[6] Fix | Delete

Deny from all

[7] Fix | Delete

</IfModule>

[8] Fix | Delete

[9] Fix | Delete

# Turn off all options we don't need.

[10] Fix | Delete

Options -Indexes -ExecCGI -Includes -MultiViews

[11] Fix | Delete

[12] Fix | Delete

# Set the catch-all handler to prevent scripts from being executed.

[13] Fix | Delete

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

[14] Fix | Delete

<Files *>

[15] Fix | Delete

# Override the handler again if we're run later in the evaluation list.

[16] Fix | Delete

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003

[17] Fix | Delete

</Files>

[18] Fix | Delete

[19] Fix | Delete

# If we know how to do it safely, disable the PHP engine entirely.

[20] Fix | Delete

<IfModule mod_php7.c>

[21] Fix | Delete

php_flag engine off

[22] Fix | Delete

</IfModule>

[23] Fix | Delete