<IfModule mod_headers.c>
Content Security Policy (CSP)
Header set Content-Security-Policy` "script-src 'self'; object-src 'self'"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Clickjacking
Header set X-Frame-Options "DENY"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
Reflected Cross-Site Scripting (XSS) attacks
Header set X-XSS-Protection "1; mode=block"
<FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection
Server software information
ServerSignature Off
Header unset X-Powered-By
Weak SSL protocols
SSLProtocol -all +TLSv1.2
</IfModule>
Http Security Headers Checker Tool written in PHP Cli + Useful Tips to set Http Security Headers