ModSecurity and later ModSecurity2 used to be an Apache dependent module hosted by Trustwave in earlier years and hosted on Github now under v2 and v3 which turned into a complete rewrite called LibModSecurity now (v3), a standalone Web Application Firewall supporting all Webservers.

ModSecurity's basic functionality can be explained in the way that it applies a set of fine grained rules to the activities of software run on Apache (and now on any other webserver) on the application level (after the outer firewall level). It is used by some hosting environments to assure security.

But some rules can interfere with the normal operation of Drupal or other big Applications like Nextcloud etc. But since each ModSecurity administrator can write their own rules, it is impossible to be certain that Drupal does not get caught up in these rules in a bad way. So, simply enabling LibModSecurity (v3) oder ModSecurity2 (v2) can cause that you are not able to update your Drupal installation or to save nodes because of False Positives blocking actions on Drupal, which can be checked in the ModSecurity logs on the server.

HTTPS is a protocol which encrypts HTTP requests and their responses. This ensures that if someone were able to compromise the network between your computer and the server you are requesting from, they would not be able to listen in or tamper with the communications.

The server file system should be configured so that the web server (e.g. Apache) does not have permission to edit or write the files which it then executes. That is, all of your files should be 'read only' for the Apache process, and owned with write permissions by a separate user.

Note that this whole article is about "defense in depth." Drupal can run quite safely with permissions a little "looser" than they should be. But if an administrator account is compromised by an attacker or an attacker gains the ability to execute arbitrary code then the configuration below will limit their ability to further exploit your site.

Drupal's Input Formats provide a variety of benefits. They can be used to enhance the functionality of your site but one of the main purposes is to ensure that data entered on your site is safe for site visitors. For example, if you allow anonymous commenting with "Full HTML" input format, a visitor could add an inappropriate image or malicious JavaScript code capable of changing your password on the site.