htaccess security headers for Apache

.htaccess

# Set browser headers
<IfModule mod_headers.c> 
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>