diff --git a/manifests/apache.pp b/manifests/apache.pp
index d93ca0e..c766bd4 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -29,6 +29,12 @@ class zanata::apache (
   include ::httpd
   include ::httpd::ssl
 
+  if !defined(Httpd_mod['rewrite']) {
+    httpd_mod { 'rewrite':
+      ensure => present,
+    }
+  }
+
   httpd_mod { 'proxy':
     ensure => present,
   }
diff --git a/templates/zanata.vhost.erb b/templates/zanata.vhost.erb
index 08f45b3..9a23d1e 100644
--- a/templates/zanata.vhost.erb
+++ b/templates/zanata.vhost.erb
@@ -32,7 +32,11 @@
     SSLCertificateChainFile <%= scope.lookupvar("zanata::apache::ssl_chain_file") %>
   <% end -%>
 
+  # CVE-2018-12532 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
+  RewriteEngine on
+  RewriteRule .*(/DATA/|org\.richfaces\.resource\.MediaOutputResource).* - [F,L]
+
   ProxyPass / ajp://127.0.0.1:8009/ retry=0
 
 </VirtualHost>
-</IfModule>
\ No newline at end of file
+</IfModule>