This guide is for setting security headers on Apache. For a guide on setting security headers with Nginx, check out our guide here.
I’ll keep this brief. Here’s what I use on the Apache-based, node server for this site (/etc/apache2/sites-enabled/YOURSITE.conf):
Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'unsafe-inline' restfeed.403page.com 403page.com; script-src 'unsafe-eval'; script-src-elem 'self' *.module.js static.cloudflareinsights.com/*;" Header always append X-Frame-Options SAMEORIGIN Header always set Referrer-Policy "same-origin" Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://403page.com"
Some quick explanations, restfeed.403page.com is a WordPress instance that serves the content to this site from another server – whereas https://403page.com is this actual site (that you’re currently on).
I’m using Frontity and need to define several JS files in the Content-Security-Policy. Thankfully, they all end with module.js – so I just have a wildcard for those: *.module.js.
Lastly, I use Cloudflare and want to allow it’s scripts to run as I need them – that’s what the static.cloudflareinsights.com/* is for. If you don’t use Cloudflare, you don’t need that.
… and here are the results:
Nothing but straight A’s. Run your own tests over at SecurityHeaders.com.