guelau · January 24, 2018 12:22
diff --git a/secu.conf b/secu.conf
 # Send No server's informations
 ServerTokens Prod
 ServerSignature Off

 <IfModule mod_headers.c>
    # Forces httpOnly, secure cookies and limit XSS Attacks
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    # Iframes can't come from another site: same url only
    Header set X-Frame-Options SAMEORIGIN

    # Block XSS Attacks
    Header set X-XSS-Protection "1;mode=block"

    # Prevents the MIME type attacks
    Header set X-Content-Type-Options nosniff

    # Helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load
    # If we activate this, we will fucked-up externals libs: facebook, segment, etc.
    # Header set Content-Security-Policy default-src 'self' cdn.guesttoguest.com assets.guesttoguest.com www.google-analytics.com ajax.googleapis.com;

    ## Minimizes Server response header
    Header unset Server
    
 </IfModule>

 # Set Off the TraceEnable directive (TRACE method no more accepted)
 TraceEnable off
	# Send No server's informations
	ServerTokens Prod
	ServerSignature Off

	<IfModule mod_headers.c>
	# Forces httpOnly, secure cookies and limit XSS Attacks
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

	# Iframes can't come from another site: same url only
	Header set X-Frame-Options SAMEORIGIN

	# Block XSS Attacks
	Header set X-XSS-Protection "1;mode=block"

	# Prevents the MIME type attacks
	Header set X-Content-Type-Options nosniff

	# Helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load
	# If we activate this, we will fucked-up externals libs: facebook, segment, etc.
	# Header set Content-Security-Policy default-src 'self' cdn.guesttoguest.com assets.guesttoguest.com www.google-analytics.com ajax.googleapis.com;

	## Minimizes Server response header
	Header unset Server

	</IfModule>

	# Set Off the TraceEnable directive (TRACE method no more accepted)
	TraceEnable off