Skip to content

Instantly share code, notes, and snippets.

@sepiariver
Forked from JamiesonRoberts/performance.conf
Created February 7, 2021 20:03
Show Gist options
  • Save sepiariver/c1dee0dbac48af93d0a1e64973d05eba to your computer and use it in GitHub Desktop.
Save sepiariver/c1dee0dbac48af93d0a1e64973d05eba to your computer and use it in GitHub Desktop.
Apache Security Headers Setup for Serverpilot
Header set Connection keep-alive
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/svg+xml "access 1 month"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection 1;mode=block
Header always set X-Content-Type-Options nosniff
Header always edit Set-Cookie ^(.*)$ $1;Secure env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000;" env=HTTPS
Header set Expect-CT: "max-age=86400" env=HTTPS
Header always set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy "default-src 'self';"
# By default disallow all features, opt into what is required (eg geolocation)
Header set Feature-Policy: ""
# Ideally the following set of directivse should be set instead of the above
# to ensure that all domain properties are fully SSL secured
#Header set Strict-Transport-Security: "max-age=15552000;includeSubdomains"
<Location "/">
AllowMethods GET POST HEAD
</Location>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment