--- security.conf.orig
+++ security.conf
@@ -22,7 +22,7 @@
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #ServerTokens Minimal
-ServerTokens OS
+ServerTokens Prod
 #ServerTokens Full
 
 #
@@ -60,14 +60,34 @@
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header always set X-Content-Type-Options: "nosniff"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Frame-Options: "sameorigin"
+Header always set X-Frame-Options: "sameorigin"
 
+# Enable reflective XSS protection and block response when detecting an attack
+Header always set X-Xss-Protection "1; mode=block"
+
+# Allow images, scripts, AJAX, form actions, and CSS from the same origin,
+# and disallow any other resources to load (eg object, frame, media, etc).
+# More info: <https://content-security-policy.com/>
+Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"
+
+# Forbid use of browser features
+# More info: <https://www.w3.org/TR/permissions-policy-1/>
+# <https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md>
+Header always set Permissions-Policy "accelerometer(), ambient-light-sensor(), autoplay(), battery(), camera(), cross-origin-isolated(), display-capture(), document-domain(), encrypted-media(), execution-while-not-rendered(), execution-while-out-of-viewport(), fullscreen(), geolocation(), gyroscope(),  layout-animations(), legacy-image-formats(), magnetometer(), microphone(), midi(), oversized-images(), navigation-override(), payment(), picture-in-picture(), publickey-credentials-get(), screen-wake-lock(), sync-xhr(), usb(), vr(), wake-lock(), web-share(), xr-spatial-tracking()"
+
+# Do not send the referrer header when navigating from HTTPS to HTTP,
+# but always send the full URL when navigating from HTTP to any origin.
+# More info: <https://scotthelme.co.uk/a-new-security-header-referrer-policy/>
+Header always set Referrer-Policy "no-referrer-when-downgrade"
+
+# enable Strict Transport Security
+Header always set Strict-Transport-Security "max-age=63072000;includeSubdomains;preload"
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet