HTTP Security Headers

yeahhub Sep 22nd, 2018 28 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # BEGIN HTTP Headers
  2. <IfModule mod_headers.c>
  3. Header always set X-Content-Type-Options "nosniff"
  4. <FilesMatch "\.(php|html)$">
  5. Header unset X-Powered-By
  6. Header always set Access-Control-Allow-Credentials "true"
  7. Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
  8. Header always set Access-Control-Allow-Headers "Origin"
  9. Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; frame-src 'self';"
  10. Header always set Referrer-Policy "no-referrer-when-downgrade"
  11. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains”
  12. Header always set X-Frame-Options "DENY"
  13. Header always set X-XSS-Protection "1; mode=block"
  14. Header always set X-UA-Compatible "IE=edge,chrome=1"
  15. </FilesMatch>
  16. </IfModule>
  17. # END HTTP Headers
  19. # BEGIN Cookie Security
  20. php_flag session.cookie_httponly on
  21. php_flag session.cookie_secure on
  22. # END Cookie Security
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand