Skip to content

Instantly share code, notes, and snippets.

Created Sep 27, 2019
What would you like to do?
Apache Security + Cache Headers
<FilesMatch ".(ico|jpg|jpeg|png|gif|js|css)$">
Header set X-Content-Type-Options nosniff
FileETag -INode MTime Size
Header set Cache-Control "public, max-age=63072000, immutable"
Header unset Last-Modified
<FilesMatch "\.(html)$">
# security-related headers
Header set Expect-CT "max-age=63072000, enforce"
Header set Referrer-Policy same-origin
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src 'self' *; script-src 'self'; style-src 'self' 'unsafe-inline' * * *; img-src 'self'; font-src 'self' * * *; connect-src *"
Header set Feature-Policy "geolocation 'self'; accelerometer 'self'; gyroscope 'self'; camera 'none'; microphone 'none'; fullscreen 'self'; document-write 'none'; speaker 'none'; payment 'none'"
# caching
FileETag -INode MTime Size
Header set Cache-Control "max-age=600 public must-revalidate"
Header unset Last-Modified
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment