One of the ways you can help to secure your web application is to use the Apache module mod_security. It allows you to specify extra rules and settings to help prevent issues that would normally pass on through. Unfortunately, it may not play nicely with all web-based applications. In this new article on the O'Reilly Broadcast, Caitlyn Matrin describes some of the steps she took to get mod_security and Drupal to cooperate.
Deploying Drupal on an Apache web server with mod_security or adding mod_security to an Apache server with Drupal running should be as easy as installing the relevant packages. Unfortunately, on Red Hat Enterprise Linux (RHEL) 5.4 and 5.5 servers it just isn't so. This is due to a combination of a bug and an outdated Core Rule Set (CRS) in the current mod_security package in the EPEL (Extra Packages for Enterprise Linux) repository. I've seen lots of posts online where people were struggling with this combination so I decided a how-to article was in order.
She walks you through the install process for mod_security (assuming you already have Apache and Drupal installed), what settings to change, directories and permissions to add and how to replace the old Core Rule Set with a newer version.