[wzm]

This can also lead to DOS issues, as I understand it, the Apache server-status pages are very computationally intensive to produce, and it requires stopping and polling every child.

Something like

<Location /server-status>

    SetHandler server-status

    Order Deny,Allow

    Deny from all

    Allow from 10.0.0.0/24

</Location>

(where 10.0.0.0 is your local network range) will prevent external requests. This is mentioned in the linked through Apache documentation.

[taejo]

According to other commenters, this is only enabled for localhost by default, but if one is using a reverse proxy on localhost, all requests will appear to come from there. So be careful with this approach.