diff --git a/exercises/h4.md b/exercises/h4.md
index 496ed68..9954bff 100644
--- a/exercises/h4.md
+++ b/exercises/h4.md
@@ -15,6 +15,12 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018)
     
     - [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
 
+    - [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]()
+    
+    - [EXTRA: Additional protection by fine-tuning Apache HTTP headers]()
+    
+    - [EXTRA: Additional protection by enabling ModSecurity module in Apache]()
+
 - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
 
 - [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance)
@@ -296,7 +302,7 @@ newuser@goauldhost:~/source_codes/apache2$ cd apache2-2.4.18/
 Implement the patch file changes into the Apache source code:
 
 ```
-newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i ../patch_apache_servertokens.patch
+newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_servertokens.patch
 ```
 
 Before compiling Apache web server, you must install the following build time dependencies:
@@ -419,6 +425,26 @@ Header unset ETag
 
 More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc.
 
+### EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code
+
+[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output response if multiple errors were encountered while processing the client request:
+
+> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
+
+> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
+
+The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
+
+As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments. This warning applies especially in Apache proxy configurations in which another server redirects error messages to the Apache proxy and multiple errors may occur.
+
+Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
+
+```
+newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
+```
+
+and follow the procedures of the previous section to compile and install Apache from source code.
+
 ### EXTRA: Disable userdir module for user nobody to reduce server detection
 
 It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows:
@@ -440,6 +466,148 @@ msf auxiliary(scanner/http/dir_scanner) > run
 [*] Using code '404' as not found for AAA.BBB.XXX.CCC
 [+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
 ```
+### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code
+
+[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request:
+
+> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
+
+> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
+
+The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response.
+
+As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments.
+
+Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
+
+```
+newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
+```
+
+and follow the procedures of the previous section to compile and install Apache from source code.
+
+
+### EXTRA: Additional protection by fine-tuning Apache HTTP headers
+
+In some server environments, adding some HTTP headers may give extra protection against malicious actions by an hostile client. **NOTE:** Please keep in mind that these settings are not foolproof.
+
+At first, enable Apache `headers` module.
+
+```
+sudo a2enmod headers
+```
+
+Then, add the following in your Apache virtualhost (for instance, `/etc/apache2/sites-available/000-default.conf`):
+
+<VirtualHost *:80>
+...
+
+    <IfModule mod_headers.c>
+        Header set X-Content-Type-Options nosniff
+        Header always append X-Frame-Options SAMEORIGIN
+        Header always append X-XSS-Protection 1
+        Header always append Content-Security-Policy "frame-ancestors 'self'"
+    </IfModule>
+
+...
+</VirtualHost>
+
+> Header set X-Content-Type-Options nosniff
+
+More about this option: [Stack Overflow - What is “X-Content-Type-Options=nosniff”?](https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff)
+
+> Header always append X-Frame-Options SAMEORIGIN
+
+More protection against [Clickjacking attacks](https://www.keycdn.com/blog/x-frame-options/#Clickjacking)
+
+More about this option: 
+
+- [keycdn.com - X-Frame-Options - How to Combat Clickjacking](https://www.keycdn.com/blog/x-frame-options/#X-Frame-Options-Directives)
+
+- [OWASP - Clickjacking Defense Cheat Sheet](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet)
+
+> Header always append X-XSS-Protection 1
+
+More about this option: [keycdn.com - X-XSS-Protection - Preventing Cross-Site Scripting Attacks](https://www.keycdn.com/blog/x-xss-protection/)
+
+> Header always append Content-Security-Policy "frame-ancestors 'self'"
+
+Another clickjacking attack prevention (CSP 2.0)
+
+More about this option: [OWASP - Content Security Policy Cheat Sheet: Preventing Clickjacking (CSP 2.0)](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking)
+
+### EXTRA: Additional protection by enabling ModSecurity module in Apache
+
+More security features can be added to Apache server by using [ModSecurity Apache module by Trustwave SpiderLabs](https://www.modsecurity.org/about.html). The module is released under [Apache Software License version 2](http://www.apache.org/licenses/LICENSE-2.0.txt). A brief description of the module, quoted from the website:
+
+> ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
+
+There is an additional ModSecurity ruleset available by OWASP. You can read more about it on [OWASP website: ModSecurity Core Rule Set Project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
+
+At first, make sure that Apache `security` module is installed:
+
+```
+[[ $(dpkg --get-selections | grep libapache2-mod-security2) ]] || sudo apt-get update && sudo apt-get install -y libapache2-mod-security2 modsecurity-crs
+```
+
+Then, enable the module:
+
+```
+sudo a2enmod security2
+```
+
+**NOTE:** Before blindly accepting `security` module, please take extra care if your Apache server is in production or in sensitive environment where stability is absolutely required without nasty or troublesome interruptions!
+
+**NOTE:** If you decided to adapt some of the following `security` module rules, you should identify which of these settings are relevant *in your server environment*.
+
+**NOTE:** The following ruleset is a loose reference which uses the settings by [Ask Apache - Mod_Security .htaccess tricks website](https://www.askapache.com/htaccess/modsecurity-htaccess-tricks/)
+
+Add the following in your VirtualHost configuration (for instance, `/etc/apache2/sites-available/000-default.conf`):
+
+```
+<VirtualHost *:80>
+...
+
+    <IfModule security2_module.c>
+        SecDataDir /var/cache/modsecurity
+        IncludeOptional /etc/modsecurity/*.conf
+        IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
+
+        # Enable ModSecurity
+        SecRuleEngine On
+
+        # Sends matching requests a 405 Method Not Allowed Status Code
+        SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" "deny,auditlog,status:405"
+
+        # Do not accept GET or HEAD requests with bodies
+        SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
+        SecFilterSelective HTTP_Content-Length "!^$"
+
+        # Require Content-Length to be provided with
+        # every POST request
+        SecFilterSelective REQUEST_METHOD "^POST$" chain
+        SecFilterSelective HTTP_Content-Length "^$"
+
+        # Don't accept transfer encodings we know we don't handle
+        SecFilterSelective HTTP_Transfer-Encoding "!^$"
+
+        # Should mod_security inspect POST payloads
+        SecFilterScanPOST On
+
+        # Make sure that URL encoding is valid
+        SecFilterCheckURLEncoding On
+
+        # Only log suspicious requests
+        SecAuditEngine RelevantOnly
+
+        # Unicode encoding check
+        SecFilterCheckUnicodeEncoding Off
+    </IfModule>
+
+...
+</VirtualHost>
+```
+
 
 **b)** Set user default website to be the default website for Apache in your virtual server environment.
 --------------