Header always set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload" Header always set X-XSS-Protection "1; mode=block" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" Header always set X-Frame-Options "SAMEORIGIN" Header always set Content-Security-Policy "block-all-mixed-content" Header always set Referrer-Policy "no-referrer-when-downgrade" # For Future Use # Header always set Cross-Origin-Resource-Policy "same-origin" # Header always set Cross-Origin-Embedder-Policy "require-corp" Header always unset "X-Powered-By" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
These set the proper headers to achieve an A+ rating on https://securityheaders.com typically satisfying most cyber security assessment insurance scans. This also removes the X-Powered-By header which reveals what PHP version the site is using, as well as editing all cookies being set by the server to include the secure and same site flags.
Another resource to test security vulnerabilities is https://domsignal.com/toolbox