I would like to use my laptop as a web development (PHP, Python, etc.) machine, but I'm hesitant to do this unless I can ensure that it can not be accessed by the outside world.
I'm guessing that something more than a firewall is necessary, such as configurations to the Apache configuration files, but I'm not sure what else I would need to be 100% sure it's locked down tightly.
You need to configure the server daemon to only bind to localhost using the Listen directive like this:
Listen 127.0.0.1
An alternative is to configure access control for the main server like this
<Directory "/var/www/localhost/htdocs">
AllowOverride None
Deny from all
Allow from 127.0.0.1/255.0.0.0
</Directory>
Remember to put the root directory of your server in the Directory Directive.
A firewall should be sufficient. Just make sure that you run apache in a non-standard port (typically 8080) and make sure your firewall blocks outside access to that port.
Install a firewall and close all external ports but those who you want to use. If you are using Linux, there are nice frontends for iptables such as firestarter, if you use OS X there is an integrated firewall and Windows has one too. :)
But yes, the Firewall is the way to go. (Or you can tell Apache to listen on 127.0.0.1:80 only)
in the configuration file, change the LISTEN directive to only listen on the loop back address:
Listen 127.0.0.1
Put a router between you and the internet, and don't forward any ports to your laptop. That way anyone trying to access the laptop hits the router and can't get any further.
You can forward ports to your main machine (or just put the main machine in the DMZ) if you need it to be available to incoming connections.
A firewall will do just fine. But if you won't settle for just a firewall you can configure apache to just listen on your loopback device, or tell it to just accept connections from a set of addresses on your lan. The first method is easier, but that way you can access the web pages only from the machine apache is running on.