yeahhub

HTTP Security Headers

Sep 22nd, 2018
139
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # BEGIN HTTP Headers
  2. <IfModule mod_headers.c>
  3. Header always set X-Content-Type-Options "nosniff"
  4. <FilesMatch "\.(php|html)$">
  5. Header unset X-Powered-By
  6. Header always set Access-Control-Allow-Credentials "true"
  7. Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
  8. Header always set Access-Control-Allow-Headers "Origin"
  9. Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; frame-src 'self';"
  10. Header always set Referrer-Policy "no-referrer-when-downgrade"
  11. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains”
  12. Header always set X-Frame-Options "DENY"
  13. Header always set X-XSS-Protection "1; mode=block"
  14. Header always set X-UA-Compatible "IE=edge,chrome=1"
  15. </FilesMatch>
  16. </IfModule>
  17. # END HTTP Headers
  18.  
  19. # BEGIN Cookie Security
  20. php_flag session.cookie_httponly on
  21. php_flag session.cookie_secure on
  22. # END Cookie Security
RAW Paste Data Copied