# Security headers
# More info:
# enable HSTS
#
Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains;preload"
Header set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
Header set Strict-Transport-Security: "max-age=15768000;preload"
Header set Strict-Transport-Security: "max-age=15768000"
# Avoid Clickjack attacks
Header always set X-Frame-Options "SAMEORIGIN"
# Enable reflective XSS protection and block response when detecting an attack
Header always set X-Xss-Protection "1; mode=block"
# Use strict MIME types
Header always set X-Content-Type-Options "nosniff"
# Do not send the referrer header when navigating from HTTPS to HTTP,
# but always send the full URL when navigating from HTTP to any origin.
# More info:
Header always set Referrer-Policy "no-referrer-when-downgrade"
# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
# and disallow any other resources to load (eg object, frame, media, etc).
# More info:
Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
# More info:
# feature list:
Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(), layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"