Looking at the headers from the CWP (apache) server with its exposure to the inet I am baffled that there are apparently not even basic security headers in places, such as:
x-content-type-options nosniff
x-download-options noopen
x-frame-options SAMEORIGIN
x-permitted-cross-domain-policies none
x-xss-protection 1; mode=block
Neither is any CSP (Content Security Policy) deployed...
That leaves the CSP server open to a variety of attacks, e.g. cross scripting and CSS Exfil , and just deploying TLS is no cure to those.
I really would prefer that my server is not exposed such a way by proxy of the CWP server. Whilst being in the position to harden any other services on the server the CWP server is beyond such measures, unless starting to mess with its code and risking unattended consequence and instability.