Security Headers Checker

How to Fix

Add this code to your .htaccess file:

<IfModule mod_headers.c>
    # Enforce HTTPS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # Content Security Policy
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
    
    # Prevent Clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME Sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Cross-Origin Headers
    Header always set Cross-Origin-Embedder-Policy "unsafe-none"
    Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"
    Header always set Cross-Origin-Resource-Policy "cross-origin"
</IfModule>

Security Headers Explained

Header	Beschreibung
server	Advertises server software. Remove to prevent information disclosure.
x-powered-by	Reveals technologies like `PHP`. Remove to obscure server details.
strict-transport-security	`HSTS` enforces HTTPS and prevents downgrade attacks.
content-security-policy	Prevents XSS by specifying trusted content sources.
x-frame-options	Prevents clickjacking by controlling frame embedding.
x-content-type-options	Prevents MIME sniffing with `nosniff`.
referrer-policy	Controls referrer information sent with links.
permissions-policy	Controls browser features like `geolocation` and `camera`.
cross-origin-*	Manages cross-origin resource loading and isolation.

Security Headers Scanner