The heart and soul of the Apache Web server (and all its derivatives) is the httpd.conf configuration file. The format of httpd.conf is plain-text, the file is extremely well-documented, and it is the primarily controller of most of Apache's configurable behaviors. From a security perspective, the default httpd.conf bundled with Apache locks down the program to a relatively strict operating paradigm. But seasoned administrators typically wants more than "out of the box" security; they want to understand what each and every directive does, how it affects the secure operation of their server, and how the supplied directives might be manipulated or further tightened in unique situations. This section covers these topics.

The httpd.conf file is divided into three basic sections: global configuration options, server configuration options, and virtual hosts.