Skip to content

Instantly share code, notes, and snippets.

@danmaby
Last active February 16, 2018 15:17
Show Gist options
  • Save danmaby/552c21c479421b8aff2cf9cfbc182496 to your computer and use it in GitHub Desktop.
Save danmaby/552c21c479421b8aff2cf9cfbc182496 to your computer and use it in GitHub Desktop.
Site Security All Sites
#
<IfModule mod_headers.c>
# HSTS - force redirect to HTTPS at the browser level.
# Submit for Chrome preload list at https://hstspreload.appspot.com/
Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
# X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
# Stop clickjacking by only allowing us to frame our own site
Header always set X-Frame-Options "SAMEORIGIN"
# Avoid MIMEtype attacks
Header set X-Content-Type-Options: "nosniff"
# Allow Cross-Origin Resource Sharing (CORS)
Header set Access-Control-Allow-Origin "*"
# Content Security Policy
Header set Content-Security-Policy "upgrade-insecure-requests;"
# Try and remove PHP version
Header unset X-Powered-By
# Referrer Policy Policy
Header set Referrer-Policy: "no-referrer-when-downgrade"
</IfModule>
# Try and disable server signature
ServerSignature Off
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment