Apache Security Headers Setup for Serverpilot

performance.conf

Header set Connection keep-alive

ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/svg+xml "access 1 month"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"

security.conf

Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection 1;mode=block
Header always set X-Content-Type-Options nosniff
Header always edit Set-Cookie ^(.*)$ $1;Secure env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000;" env=HTTPS
Header set Expect-CT: "max-age=86400" env=HTTPS
Header always set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy "default-src 'self';"

# By default disallow all features, opt into what is required (eg geolocation)
Header set Feature-Policy: ""

# Ideally the following set of directivse should be set instead of the above
# to ensure that all domain properties are fully SSL secured
#Header set Strict-Transport-Security: "max-age=15552000;includeSubdomains"

<Location "/">
   AllowMethods GET POST HEAD
</Location>