How to configure Security Headers in Apache

Enable HSTS

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Enable X-Frame-Options

Header always append X-Frame-Options SAMEORIGIN

Enable X-XSS-Protection

Header set X-XSS-Protection "1; mode=block"

Enable X-Content-Type-Options

Header always set X-Content-Type-Options "nosniff"

Enable Referrer-Policy

Header always set Referrer-Policy "strict-origin"

Enable Content Security Policy (CSP)

Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Enable Permissions-Policy

Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

Back to Apache

How to configure Security Headers in Apache

Comments

Leave a Reply Cancel reply

More posts

Route Specific Subnet Through OpenVPN

How to stop all services on a cpanel server

Upgrade MariaDB 10.3 to 10.5 on Ubuntu 20.04

How to hide a WordPress Plugin