section-io-gists/security_headers.vcl

## security_headers.vcl
sub vcl_deliver {
  set resp.http.X-Frame-Options = "SAMEORIGIN";
  set resp.http.X-XSS-Protection = "1; mode=block";
  set resp.http.X-Content-Type-Options = "nosniff";
  set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains";
  set resp.http.Content-Security-Policy-Report-Only = "default-src 'self' ; script-src 'self' r-login.wordpress.com s0.wp.com s1.wp.com s2.wp.com stats.wp.com 0.gravatar.com platform.twitter.com; style-src 'self' s2.wp.com 0.gravatar.com fonts.googleapis.com; img-src 'self' pixel.wp.com 2.gravatar.com ; font-src 'self' data: fonts.gstatic.com; upgrade-insecure-requests; report-uri https://example.report-uri-example.io/report/example-endpoint;";

  unset resp.http.Server;
}
	sub vcl_deliver {
	set resp.http.X-Frame-Options = "SAMEORIGIN";
	set resp.http.X-XSS-Protection = "1; mode=block";
	set resp.http.X-Content-Type-Options = "nosniff";
	set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains";
	set resp.http.Content-Security-Policy-Report-Only = "default-src 'self' ; script-src 'self' r-login.wordpress.com s0.wp.com s1.wp.com s2.wp.com stats.wp.com 0.gravatar.com platform.twitter.com; style-src 'self' s2.wp.com 0.gravatar.com fonts.googleapis.com; img-src 'self' pixel.wp.com 2.gravatar.com ; font-src 'self' data: fonts.gstatic.com; upgrade-insecure-requests; report-uri https://example.report-uri-example.io/report/example-endpoint;";

	unset resp.http.Server;
	}