guelau/secu.conf

## secu.conf
# Send No server's informations
ServerTokens Prod
ServerSignature Off

<IfModule mod_headers.c>
    # Forces httpOnly, secure cookies and limit XSS Attacks
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    # Iframes can't come from another site: same url only
    Header set X-Frame-Options SAMEORIGIN

    # Block XSS Attacks
    Header set X-XSS-Protection "1;mode=block"

    # Prevents the MIME type attacks
    Header set X-Content-Type-Options nosniff

    # Helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load
    # If we activate this, we will fucked-up externals libs: facebook, segment, etc.
    # Header set Content-Security-Policy default-src 'self' cdn.guesttoguest.com assets.guesttoguest.com www.google-analytics.com ajax.googleapis.com;

    ## Minimizes Server response header
    Header unset Server

</IfModule>

# Set Off the TraceEnable directive (TRACE method no more accepted)
TraceEnable off
	# Send No server's informations
	ServerTokens Prod
	ServerSignature Off

	<IfModule mod_headers.c>
	# Forces httpOnly, secure cookies and limit XSS Attacks
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

	# Iframes can't come from another site: same url only
	Header set X-Frame-Options SAMEORIGIN

	# Block XSS Attacks
	Header set X-XSS-Protection "1;mode=block"

	# Prevents the MIME type attacks
	Header set X-Content-Type-Options nosniff

	# Helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load
	# If we activate this, we will fucked-up externals libs: facebook, segment, etc.
	# Header set Content-Security-Policy default-src 'self' cdn.guesttoguest.com assets.guesttoguest.com www.google-analytics.com ajax.googleapis.com;

	## Minimizes Server response header
	Header unset Server

	</IfModule>

	# Set Off the TraceEnable directive (TRACE method no more accepted)
	TraceEnable off