Header Security Check
Strict-Transport-Security :
sudo a2enmod headers
sudo service apache2 restart
sudo nano /etc/apache2/sites-available/000-default.conf (If dafult is using)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" (Add this line in SSL config file)
Content-Security-Policy---->>>
Enable the headers module in Apache by running the command sudo a2enmod headers in the terminal.
Create a file called csp.conf in the Apache configuration directory (/etc/apache2/conf-available/) with the following content:
#Header set Content-Security-Policy "default-src 'self';"
Header always set Content-Security-Policy "default-src: 'self';"
Header always set Content-Security-Policy "style-src-elem: 'self' use.fontawesome.com fonts.googleapis.com cdn.jsdelivr.net;"
Header always set Content-Security-Policy "font-src: fonts.googleapis.com;"
sudo a2enconf csp
sudo systemctl restart apache2
curl -I https://ermdev.arohan.in
X-Permitted-Cross-Domain-Policies --->>>
sudo vim /etc/apache2/apache2.conf
Header always set X-Permitted-Cross-Domain-Policies "none" (Add this line)
Referrer-Policy ----
sudo nano /etc/apache2/sites-available/yourwebsite.conf
Header always set Referrer-Policy "no-referrer" (Add this line in SSL config file)
Clear-Site-Data :
Header always set Clear-Site-Data "cache, cookies, storage" (Add this line in SSL config file)
Cross-Origin-Embedder-Policy :
Header always set Cross-Origin-Embedder-Policy "require-corp"
Cross-Origin-Opener-Policy :
Header always set Cross-Origin-Opener-Policy "same-origin"
Cross-Origin-Resource-Policy :
Header always set Cross-Origin-Resource-Policy "same-origin"
Permissions-Policy :
Header always set Permissions-Policy "geolocation=(self 'meraarohantest.arohan.in'); microphone=()"
Strict-Transport-Security :
sudo a2enmod headers
sudo service apache2 restart
sudo nano /etc/apache2/sites-available/000-default.conf (If dafult is using)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" (Add this line in SSL config file)
Content-Security-Policy---->>>
Enable the headers module in Apache by running the command sudo a2enmod headers in the terminal.
Create a file called csp.conf in the Apache configuration directory (/etc/apache2/conf-available/) with the following content:
#Header set Content-Security-Policy "default-src 'self';"
Header always set Content-Security-Policy "default-src: 'self';"
Header always set Content-Security-Policy "style-src-elem: 'self' use.fontawesome.com fonts.googleapis.com cdn.jsdelivr.net;"
Header always set Content-Security-Policy "font-src: fonts.googleapis.com;"
sudo a2enconf csp
sudo systemctl restart apache2
curl -I https://ermdev.arohan.in
X-Permitted-Cross-Domain-Policies --->>>
sudo vim /etc/apache2/apache2.conf
Header always set X-Permitted-Cross-Domain-Policies "none" (Add this line)
Referrer-Policy ----
sudo nano /etc/apache2/sites-available/yourwebsite.conf
Header always set Referrer-Policy "no-referrer" (Add this line in SSL config file)
Clear-Site-Data :
Header always set Clear-Site-Data "cache, cookies, storage" (Add this line in SSL config file)
Cross-Origin-Embedder-Policy :
Header always set Cross-Origin-Embedder-Policy "require-corp"
Cross-Origin-Opener-Policy :
Header always set Cross-Origin-Opener-Policy "same-origin"
Cross-Origin-Resource-Policy :
Header always set Cross-Origin-Resource-Policy "same-origin"
Permissions-Policy :
Header always set Permissions-Policy "geolocation=(self '*.tsdemo.co.in'); microphone=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Referrer-Policy "no-referrer"
Header always set Clear-Site-Data "cache, cookies, storage"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Permissions-Policy "geolocation=(self '*.tsdemo.co.in'); microphone=()"
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://*.tsdemo.co.in/*"
Header unset X-Forwarded-Host
Header always set Permissions-Policy "fullscreen 'none' "
Header always set Clear-Site-Data "cache"
Header add Access-Control-Allow-Origin "*"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
</IfModule>
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://*.arohan.in/*"
#Header set Expect-CT: enforce, max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/enforce"
#Header set Expect-CT: max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/report"
Header unset X-Forwarded-Host
Header always set Permissions-Policy "fullscreen 'none' "
Header always set Clear-Site-Data "cache"
Header add Access-Control-Allow-Origin "*"
#Header set Expect-CT 'enforce, max-age=43200, report-uri="https://somedomain.co>
#Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
</IfModule>
ServerSignature Off
ServerTokens Prod
DirectoryIndex index.html index.php
Header always set Cross-Origin-Embedder-Policy "credentialless"

1 Comment
Ok Sandeep