Securing HTTP headers in the PHP language.

http-header.php

<?php

/**
 * Securing HTTP headers in the PHP language.
 * Written by Suluh Sulistiawan <suluh.webdevelopers@hotmail.com>
 * Use as you like, hopefully useful.
 */

/**
 * X-Frame-Options allows content publishers
 * to prevent their own content from being used
 * in an invisible frame by attackers
 */
header("X-Frame-Options: SAMEORIGIN");

/**
 * The HTTP X-XSS-Protection response header is
 * a feature of Internet Explorer, Chrome and
 * Safari that stops pages from loading when they
 * detect reflected cross-site scripting (XSS) attacks
 */
header("X-XSS-Protection: 1; mode=block");

/**
 * The X-Content-Type-Options response HTTP header
 * is a marker used by the server to indicate
 * that the MIME types advertised in the Content-Type
 * headers should be followed and not be changed
 */
header("X-Content-Type-Options: nosniff");

/**
 * Permissions Policy (formerly known as feature policy)
 * allows web developers to selectively enable, disable,
 * and modify the behavior of certain APIs and web
 * features in the browser
 */
header("Permissions-Policy: geolocation=(self),sync-xhr=(self),fullscreen=(self)");

/**
 * HTTP Strict Transport Security (HSTS) is a policy
 * mechanism that helps to protect websites against
 * man-in-the-middle attacks such as protocol
 * downgrade attacks and cookie hijacking
 */
header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload");

/**
 * Content Security Policy (CSP) is an added layer of
 * security that helps to detect and mitigate certain
 * types of attacks, including Cross-Site Scripting (XSS)
 * and data injection attacks
 * 
 * Add CSP headers as you like, please match those in
 * the following list https://rapidsec.com/csp-packages/
 */
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://www.google-analytics.com https://ssl.google-analytics.com https://google-analytics.com https://connect.facebook.net https://graph.facebook.com https://js.facebook.com https://*.doubleclick.net https://*.googleadservices.com https://*.google.com https://*.googlesyndication.com https://*.googletagservices.com https://cdnjs.cloudflare.com https://use.fontawesome.com https://kit.fontawesome.com https://ajax.googleapis.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.google.com/recaptcha/ https://maps.googleapis.com https://maps.google.com https://www.youtube.com https://m.youtube.com https://code.jquery.com https://cdn.jsdelivr.net https://unpkg.com https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://netdna.bootstrapcdn.com https://platform.twitter.com https://analytics.twitter.com https://en.twitter.com https://cdn.syndication.twimg.com https://translate.googleapis.com https://translate.google.com; style-src 'self' 'unsafe-inline' www.googletagmanager.com tagmanager.google.com fonts.googleapis.com *.google.com cdnjs.cloudflare.com *.fontawesome.com ajax.googleapis.com code.jquery.com cdn.jsdelivr.net unpkg.com *.bootstrapcdn.com ton.twimg.com platform.twitter.com translate.googleapis.com; frame-src www.googletagmanager.com *.facebook.com connect.facebook.net *.google.com *.doubleclick.net *.googlesyndication.com *.recaptcha.net recaptcha.net https://www.google.com/recaptcha/ https://recaptcha.google.com maps.google.com maps.googleapis.com *.youtube.com www.youtube-nocookie.com *.twitter.com; child-src blob: www.googletagmanager.com *.facebook.com connect.facebook.net *.google.com *.doubleclick.net *.googlesyndication.com www.youtube.com; img-src 'self' data: blob: www.googletagmanager.com www.google-analytics.com ssl.google-analytics.com www.google.com analytics.google.com fonts.gstatic.com *.facebook.com *.facebook.net *.fbcdn.net *.google.com *.doubleclick.net *.googlesyndication.com www.googleadservices.com cdnjs.cloudflare.com ajax.googleapis.com www.gstatic.com/recaptcha *.googleapis.com maps.google.com maps.gstatic.com www.gstatic.com *.ggpht.com *.ytimg.com *.youtube.com code.jquery.com cdn.jsdelivr.net unpkg.com t.co *.twitter.com *.twimg.com translate.google.com translate.googleapis.com www.gstatic.com; connect-src 'self' about: www.googletagmanager.com www.google-analytics.com stats.g.doubleclick.net ampcid.google.com analytics.google.com fonts.googleapis.com fonts.gstatic.com *.facebook.com connect.facebook.net *.doubleclick.net *.google.com *.googlesyndication.com www.googleadservices.com cdnjs.cloudflare.com *.fontawesome.com ajax.googleapis.com maps.googleapis.com maps.google.com code.jquery.com cdn.jsdelivr.net t.co *.twitter.com *.twimg.com translate.googleapis.com translate.google.com www.gstatic.com; font-src 'self' data: fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com *.fontawesome.com cdn.jsdelivr.net unpkg.com *.bootstrapcdn.com; object-src *.googlesyndication.com; media-src 'self' dai.google.com *.twimg.com; form-action 'self' *.facebook.com connect.facebook.net *.google.com *.twitter.com; prefetch-src *.googlesyndication.com; worker-src blob: www.google.com www.recaptcha.net");

/**
 * The Referrer-Policy HTTP header controls how much
 * referrer information (sent with the Referer header)
 * should be included with requests
 */
header("Referrer-Policy: strict-origin");