<IfModule mod_headers.c>
Content Security Policy (CSP)
Header set Content-Security-Policy` "script-src 'self'; object-src 'self'"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Clickjacking
Header set X-Frame-Options "DENY"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
Reflected Cross-Site Scripting (XSS) attacks
Header set X-XSS-Protection "1; mode=block"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection
Server software information
ServerSignature Off
Header unset X-Powered-By
Weak SSL protocols
SSLProtocol -all +TLSv1.2
</IfModule>
This project is a web interface for testssl.sh. It can be used to offer internal TLS/SSL configuration check portals, whereever the usual public tools are not applicable.
Download and run Dirk Wetter's testssl.sh on a list of url's and compile the failures into a single spreadsheet.