How to configure Security Headers in Apache
Enable HSTS
1 |
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" |
Enable X-Frame-Options
1 |
Header always append X-Frame-Options SAMEORIGIN |
Enable X-XSS-Protection
1 |
Header set X-XSS-Protection "1; mode=block" |
Enable X-Content-Type-Options
1 |
Header always set X-Content-Type-Options "nosniff" |
Enable Referrer-Policy
1 |
Header always set Referrer-Policy "strict-origin" |
Enable Content Security Policy (CSP)
1 |
Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" |
Enable Permissions-Policy
1 |
Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" |
Back to Apache