danmaby · February 16, 2018 15:17
diff --git a/.htaccess b/.htaccess
 #
 <IfModule mod_headers.c>
    # HSTS - force redirect to HTTPS at the browser level.
    # Submit for Chrome preload list at https://hstspreload.appspot.com/
    Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"

    # X-Xss-Protection
    Header always set X-Xss-Protection "1; mode=block"

    # Stop clickjacking by only allowing us to frame our own site
    Header always set X-Frame-Options "SAMEORIGIN"

    # Avoid MIMEtype attacks
    Header set X-Content-Type-Options: "nosniff"

    # Allow Cross-Origin Resource Sharing (CORS)
    Header set Access-Control-Allow-Origin "*"

    # Content Security Policy
    Header set Content-Security-Policy "upgrade-insecure-requests;"

    # Try and remove PHP version
    Header unset X-Powered-By
    
    # Referrer Policy Policy
    Header set Referrer-Policy: "no-referrer-when-downgrade"
 </IfModule>

 # Try and disable server signature
 ServerSignature Off
 #
	#
	<IfModule mod_headers.c>
	# HSTS - force redirect to HTTPS at the browser level.
	# Submit for Chrome preload list at https://hstspreload.appspot.com/
	Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"

	# X-Xss-Protection
	Header always set X-Xss-Protection "1; mode=block"

	# Stop clickjacking by only allowing us to frame our own site
	Header always set X-Frame-Options "SAMEORIGIN"

	# Avoid MIMEtype attacks
	Header set X-Content-Type-Options: "nosniff"

	# Allow Cross-Origin Resource Sharing (CORS)
	Header set Access-Control-Allow-Origin "*"

	# Content Security Policy
	Header set Content-Security-Policy "upgrade-insecure-requests;"

	# Try and remove PHP version
	Header unset X-Powered-By

	# Referrer Policy Policy
	Header set Referrer-Policy: "no-referrer-when-downgrade"
	</IfModule>

	# Try and disable server signature
	ServerSignature Off
	#