A good starting point for apache security headers
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=86400, enforce"
Header always set Feature-Policy "\
geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \
magnetometer 'none'; accelerometer 'none'; vr 'none'; \
speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \
microphone 'none'"
Header always set Content-Security-Policy "\
default-src 'self' 'unsafe-inline' data:;\
font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Header always set Access-Control-Allow-Origin "*"
Header always set X-Content-Type-Options nosniff
</IfModule>