My "secure" Apache (2.4) config snippet.
<VirtualHost *:80>
DocumentRoot /var/www/
ServerName example.com
ErrorLog /var/log/apache/error_example.com.log
Header always set Strict-Transport-Security "max-age=15552000"
Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
# https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
#Header always set X-Content-Type-Options "nosniff"
</VirtualHost>
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName example.com
ErrorLog /var/log/apache/error_example.com.log
SSLEngine on
SSLCertificateFile /etc/ssl/apache2/example.com.crt
SSLCertificateKeyFile /etc/ssl/apache2/example.com.key
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLCACertificateFile /etc/ssl/apache2/example.com_CA.crt
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Header always set Strict-Transport-Security "max-age=15552000"
Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
# create using: openssl x509 -noout -in example.com_CA.crt -pubkey | openssl asn1parse -noout -inform pem -out tmp.key; openssl dgst -sha256 -binary tmp.key | openssl enc -base64
# example.com_CA.crt
# reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=
# example.com_CA.crt
# m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=
# Header always set Public-Key-Pins-Report-Only "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
# Header always set Public-Key-Pins "pin-sha256=\"reIKrQPC+mmj+0OSUhJW0gQmUxXSm2O3N3bhso/ENzs=\"; pin-sha256=\"m7bewwT8Jlkt3bTr5dQAdZbVprj4FWAZ6Czi41APvzw=\"; max-age=15552000; includeSubDomains; preload"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
# https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
#Header always set X-Content-Type-Options "nosniff"
</VirtualHost>
</IfModule>