diff --git a/apache/manage_security.sls b/apache/manage_security.sls
new file mode 100644
index 0000000..6a57fe4
--- /dev/null
+++ b/apache/manage_security.sls
@@ -0,0 +1,33 @@
+{% if grains['os_family']=="Debian" %}
+
+{% from "apache/map.jinja" import apache with context %}
+
+include:
+  - apache
+
+{% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %}
+apache_security-block:
+  file.blockreplace:
+    - name: /etc/apache2/conf-available/security.conf
+    - marker_start: "# START managed zone -DO-NOT-EDIT-"
+    - marker_end: "# END managed zone --"
+    - append_if_not_found: True
+    - show_changes: True
+    - require:
+      - pkg: apache
+    - watch_in:
+      - module: apache-reload
+
+{% for option, value in salt['pillar.get']('apache:security', {}).items() %}
+apache_manage-security-{{ option }}:
+  file.accumulated:
+    - filename: /etc/apache2/conf-available/security.conf
+    - name: apache_manage-security-add-{{ option }}
+    - text: "{{ option }} {{ value }}"
+    - require_in:
+      - file: apache_security-block
+{% endfor %}
+
+{% endif %}
+
+{% endif %}
\ No newline at end of file
diff --git a/pillar.example b/pillar.example
index 0dda7ac..0ddc9a0 100644
--- a/pillar.example
+++ b/pillar.example
@@ -115,3 +115,8 @@ apache:
       - ssl
     disabled:  # List modules to disable
       - rewrite
+
+  security:
+    # can be Full | OS | Minimal | Minor | Major | Prod
+    # where Full conveys the most information, and Prod the least.
+    ServerTokens: Prod