diff --git a/http/Provision/Config/Apache/server.tpl.php b/http/Provision/Config/Apache/server.tpl.php
index e6ea28ab..366a4d89 100644
--- a/http/Provision/Config/Apache/server.tpl.php
+++ b/http/Provision/Config/Apache/server.tpl.php
@@ -21,6 +21,14 @@ NameVirtualHost *:<?php print $http_port; ?>
   LoadModule rewrite_module modules/mod_rewrite.so
 </IfModule>
 
+# Mitigation for https://www.drupal.org/SA-CORE-2018-002
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{QUERY_STRING} (.*)(23value|23default_value|element_parents=%23)(.*) [NC]
+    RewriteCond %{REQUEST_METHOD} POST [NC]
+    RewriteRule ^.*$  - [R=403,L]
+</IfModule>
+
 <?php
 if (drush_get_option('provision_apache_conf_suffix', FALSE)) {
   $include_statement = 'IncludeOptional ';
diff --git a/http/Provision/Config/Nginx/server.tpl.php b/http/Provision/Config/Nginx/server.tpl.php
index 781d84cd..6d6c1567 100644
--- a/http/Provision/Config/Nginx/server.tpl.php
+++ b/http/Provision/Config/Nginx/server.tpl.php
@@ -327,6 +327,20 @@ server {
 }
 <?php endif; ?>
 
+# Mitigation for https://www.drupal.org/SA-CORE-2018-002
+set $rce "ZZ";
+if ( $query_string ~* (23value|23default_value|element_parents=%23) ) {
+  set $rce "A";
+}
+
+if ( $request_method = POST ) {
+  set $rce "${rce}B";
+}
+
+if ( $rce = "AB" ) {
+  return 403;
+}
+
 #######################################################
 ###  nginx virtual domains
 #######################################################