A hardened OS (e.g. using a hardened base image, see below),
Deactivation of all services, plugins and other functionality that is not needed, especially if they are exposed (executable from remote).
Hardened SSL/TLS stack (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015823 )
Activated security headers according to https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015832/Appendix+A%3A+Requirements+for+HTTP+Security+Header.
Removal of samples and other default content.
Execution of network services (e.g. web or application servers) with only minimal privileges and isolated from other processes if possible (e.g. as an isolated container or dedicated server instance, VM or host).
Network services bound to localhost if access only required from same system.
Network services should only be accessible from certain IPs if possible.
Deactivation of file handlers that are not required (e.g. “.php” for a Java application).
Deactivation of insecure HTTP methods (e.g. TRACE and TRACK).
Web and application servers must not disclose details on the server-side software
stack (e.g. version numbers). Related HTTP response headers such as “
X-Powered-By” are to be deactivated or filtered.