A good starting point for apache security headers
<IfModule mod_headers.c> Header always set X-Frame-Options "SAMEORIGIN" Header always set X-XSS-Protection "1; mode=block" Header always set Expect-CT "max-age=86400, enforce" Header always set Feature-Policy "\ geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \ magnetometer 'none'; accelerometer 'none'; vr 'none'; \ speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \ microphone 'none'" Header always set Content-Security-Policy "\ default-src 'self' 'unsafe-inline' data:;\ font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \ style-src 'self' 'unsafe-inline' fonts.googleapis.com; \ script-src 'self' 'unsafe-inline' 'unsafe-eval';" Header always set Access-Control-Allow-Origin "*" Header always set X-Content-Type-Options nosniff </IfModule>