Header Security Check

Header Security Check
Linux November 19, 2025 18 Views

Strict-Transport-Security : 
sudo a2enmod headers
sudo service apache2 restart
sudo nano /etc/apache2/sites-available/000-default.conf (If dafult is using)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"    (Add this line in SSL config file)

Content-Security-Policy---->>>
Enable the headers module in Apache by running the command sudo a2enmod headers in the terminal.
Create a file called csp.conf in the Apache configuration directory (/etc/apache2/conf-available/) with the following content:
#Header set Content-Security-Policy "default-src 'self';"
Header always set Content-Security-Policy "default-src: 'self';"
Header always set Content-Security-Policy "style-src-elem: 'self' use.fontawesome.com fonts.googleapis.com cdn.jsdelivr.net;"
Header always set Content-Security-Policy "font-src: fonts.googleapis.com;"

sudo a2enconf csp
sudo systemctl restart apache2
curl -I https://ermdev.arohan.in

X-Permitted-Cross-Domain-Policies --->>>
sudo vim /etc/apache2/apache2.conf
Header always set X-Permitted-Cross-Domain-Policies "none"  (Add this line)

Referrer-Policy ----
sudo nano /etc/apache2/sites-available/yourwebsite.conf
Header always set Referrer-Policy "no-referrer"   (Add this line in SSL config file)

Clear-Site-Data : 
Header always set Clear-Site-Data "cache, cookies, storage"  (Add this line in SSL config file)

Cross-Origin-Embedder-Policy : 
Header always set Cross-Origin-Embedder-Policy "require-corp"

Cross-Origin-Opener-Policy : 
Header always set Cross-Origin-Opener-Policy "same-origin"

Cross-Origin-Resource-Policy : 
Header always set Cross-Origin-Resource-Policy "same-origin"

Permissions-Policy : 
Header always set Permissions-Policy "geolocation=(self 'meraarohantest.arohan.in'); microphone=()"


Strict-Transport-Security : 
sudo a2enmod headers
sudo service apache2 restart
sudo nano /etc/apache2/sites-available/000-default.conf (If dafult is using)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"    (Add this line in SSL config file)

Content-Security-Policy---->>>
Enable the headers module in Apache by running the command sudo a2enmod headers in the terminal.
Create a file called csp.conf in the Apache configuration directory (/etc/apache2/conf-available/) with the following content:
#Header set Content-Security-Policy "default-src 'self';"
Header always set Content-Security-Policy "default-src: 'self';"
Header always set Content-Security-Policy "style-src-elem: 'self' use.fontawesome.com fonts.googleapis.com cdn.jsdelivr.net;"
Header always set Content-Security-Policy "font-src: fonts.googleapis.com;"

sudo a2enconf csp
sudo systemctl restart apache2
curl -I https://ermdev.arohan.in

X-Permitted-Cross-Domain-Policies --->>>
sudo vim /etc/apache2/apache2.conf
Header always set X-Permitted-Cross-Domain-Policies "none"  (Add this line)

Referrer-Policy ----
sudo nano /etc/apache2/sites-available/yourwebsite.conf
Header always set Referrer-Policy "no-referrer"   (Add this line in SSL config file)

Clear-Site-Data : 
Header always set Clear-Site-Data "cache, cookies, storage"  (Add this line in SSL config file)

Cross-Origin-Embedder-Policy : 
Header always set Cross-Origin-Embedder-Policy "require-corp"

Cross-Origin-Opener-Policy : 
Header always set Cross-Origin-Opener-Policy "same-origin"

Cross-Origin-Resource-Policy : 
Header always set Cross-Origin-Resource-Policy "same-origin"

Permissions-Policy : 
Header always set Permissions-Policy "geolocation=(self '*.tsdemo.co.in'); microphone=()"


Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Referrer-Policy "no-referrer"
Header always set Clear-Site-Data "cache, cookies, storage"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Permissions-Policy "geolocation=(self '*.tsdemo.co.in'); microphone=()"


<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://*.tsdemo.co.in/*"
Header unset X-Forwarded-Host
Header always set Permissions-Policy "fullscreen 'none' "
Header always set Clear-Site-Data "cache"
Header add Access-Control-Allow-Origin "*"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"

</IfModule>


<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://*.arohan.in/*"
#Header set Expect-CT: enforce, max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/enforce"
#Header set Expect-CT: max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/report"
Header unset X-Forwarded-Host
Header always set Permissions-Policy "fullscreen 'none' "
Header always set Clear-Site-Data "cache"
Header add Access-Control-Allow-Origin "*"
#Header set Expect-CT 'enforce, max-age=43200, report-uri="https://somedomain.co>
#Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
</IfModule>


ServerSignature Off
ServerTokens Prod
DirectoryIndex index.html index.php

Header always set Cross-Origin-Embedder-Policy "credentialless"

 

Leave a Comment

1 Comment

S
Sandeep K 1 months ago
Hi Thanks could u please share the screeshot
🛡 Admin

Ok Sandeep