Header always set Content-Security-Policy "default-src * https: data:; style-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'" Header set Referrer-Policy 'strict-origin' Header set Permissions-Policy geolocation=() Header set X-Content-Type-Options nosniff # Header set Strict-Transport-Security "max-age=31536000" Header always set X-Xss-Protection "1; mode=block" # Header always set X-Frame-Options "SAMEORIGIN"