HTTP Header Security

If you are running on Apache Server, you may consider enabling these HTTP header to improve the security of your website. I use these on my sites. This is valid as of May 2019.

• Header always set X-Frame-Options DENY
• Header always set X-Content-Type-Options nosniff
• Header always set Referrer-Policy strict-origin-when-cross-origin
• Header always unset X-Powered-By
• Header always set X-XSS-Protection "1; mode=block"
• Header always set X-Permitted-Cross-Domain-Policies "none"
• Header always set Report-To "{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https://ekvastra.report-uri.com/a/d/g\"}],\"include_subdomains\":true}"
• Header always set NEL "{\"report_to\":\"default\",\"max_age\":31536000,\"include_subdomains\":true}"
• Header always set Feature-Policy "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'"
• Header always set Content-Language "en"
• Header always set Tk N
• Header always unset Pragma

These header values are set by cloudflare proxy:

• Vary
• Expect-CT
• Strict-Transport-Security
• Server
• cf-cache-status
• cf-ray

The following headers are tweaked for each of my sites individually, the following is the setting for notes.ekvastra.in:

• Header always set Access-Control-Allow-Origin https://developer.mozilla.org
• Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; report-uri https://ekvastra.report-uri.com/r/d/csp/enforce; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; form-action 'self'"