This guide is for setting security headers on Apache. For a guide on setting security headers with Nginx, check out our guide here.

I’ll keep this brief. Here’s what I use on the Apache-based, node server for this site (/etc/apache2/sites-enabled/YOURSITE.conf):

Header set X-XSS-Protection "1; mode=block"

Header set Content-Security-Policy "default-src 'unsafe-inline' restfeed.403page.com 403page.com; script-src 'unsafe-eval'; script-src-elem 'self' *.module.js static.cloudflareinsights.com/*;"

Header always append X-Frame-Options SAMEORIGIN

Header always set Referrer-Policy "same-origin"

Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://403page.com"

Some quick explanations, restfeed.403page.com is a WordPress instance that serves the content to this site from another server – whereas https://403page.com is this actual site (that you’re currently on).

I’m using Frontity and need to define several JS files in the Content-Security-Policy. Thankfully, they all end with module.js – so I just have a wildcard for those: *.module.js.

Lastly, I use Cloudflare and want to allow it’s scripts to run as I need them – that’s what the static.cloudflareinsights.com/* is for. If you don’t use Cloudflare, you don’t need that.

… and here are the results:

Nothing but straight A’s. Run your own tests over at SecurityHeaders.com.