Content Security Headers

Content Security Header (HSTS)

Apache:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

Content Security Policy (CSP)

Apache:

Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Nginx:

add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";

X-XSS Protection

Apache:

Header set X-XSS-Protection "1; mode=block"

Nginx:

add_header X-XSS-Protection "1; mode=block";

X-Frame Options

Apache:

Header always set X-Frame-Options "SAMEORIGIN"

Nginx:

add_header X-Frame-Options "SAMEORIGIN";

X-Content-Type-Options

Apache:

Header always set X-Content-Type-Options "nosniff"

Nginx:

add_header X-Content-Type-Options nosniff;

Referrer Policy

Apache:

Header always set Referrer-Policy "strict-origin"

Nginx:

add_header Referrer-Policy "strict-origin";

Permission Policy

Apache:

Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

Nginx:

add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";