GaryJones/.htaccess

## .htaccess
<IfModule mod_headers.c>
    # HSTS - force redirect to HTTPS at the browser level.
    # Submit for Chrome preload list at https://hstspreload.appspot.com/
    # Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" env=HTTPS

    # X-Xss-Protection
    Header always set X-XSS-Protection "1; mode=block"

    # Stop clickjacking by only allowing us to frame our own site
    Header always set X-Frame-Options "SAMEORIGIN"

    # Avoid MIMEtype attacks
    Header always set X-Content-Type-Options: "nosniff"

    # Allow Cross-Origin Resource Sharing (CORS)
    Header always set Access-Control-Allow-Origin "*"

    # Content Security Policy
    # Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS

    # Content Security Policy Report Only
    # Get mixed-content warnings
    Header set Content-Security-Policy-Report-Only " \
        default-src https: 'unsafe-eval' 'unsafe-inline'; \
        font-src https: data:; \
        img-src https: data:; \
        report-uri https://<your-prefix>.report-uri.io/r/default/csp/reportOnly \
    "
    # env=HTTPS

    # Remove PHP version
    Header unset X-Powered-By
</IfModule>

# Disable server signature
ServerSignature Off

## nginx.conf
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff;
add_header 'Access-Control-Allow-Origin' '*';
	<IfModule mod_headers.c>
	# HSTS - force redirect to HTTPS at the browser level.
	# Submit for Chrome preload list at https://hstspreload.appspot.com/
	# Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" env=HTTPS

	# X-Xss-Protection
	Header always set X-XSS-Protection "1; mode=block"

	# Stop clickjacking by only allowing us to frame our own site
	Header always set X-Frame-Options "SAMEORIGIN"

	# Avoid MIMEtype attacks
	Header always set X-Content-Type-Options: "nosniff"

	# Allow Cross-Origin Resource Sharing (CORS)
	Header always set Access-Control-Allow-Origin "*"

	# Content Security Policy
	# Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS

	# Content Security Policy Report Only
	# Get mixed-content warnings
	Header set Content-Security-Policy-Report-Only " \
	default-src https: 'unsafe-eval' 'unsafe-inline'; \
	font-src https: data:; \
	img-src https: data:; \
	report-uri https://<your-prefix>.report-uri.io/r/default/csp/reportOnly \
	"
	# env=HTTPS

	# Remove PHP version
	Header unset X-Powered-By
	</IfModule>

	# Disable server signature
	ServerSignature Off
	add_header Strict-Transport-Security "max-age=31536000; preload";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Xss-Protection "1; mode=block" always;
	add_header X-Content-Type-Options nosniff;
	add_header 'Access-Control-Allow-Origin' '*';