Daniel Sixto Logo

HTTP Security Response Headers

I was looking into improving my site HTTP Security Response Headers and came across the following useful articles:

For this websites Security Headers I ended up with the following listed below. I can refine it further in the future and lock it down more, but at the moment I am pleased with the results. The following goes in your .htaccess file on your Apache web server.

# Start Security Headers

<ifModule mod_headers.c>
        Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        Header set X-XSS-Protection "1; mode=block"
        Header always append X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header set X-Frame-Options DENY
        Header set Referrer-Policy: no-referrer-when-downgrade
		Header set Permissions-Policy "accelerometer=Origin(), autoplay=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), usb=()"
		Header set Content-Security-Policy "frame-ancestors 'self';"
</ifModule>

# Disable server signature
ServerSignature Off

# End Security Headers

Afterwards I tested my site on the following sites:

I ended up with an A+ at the time of writing.
If you find this, I hope it helps you to.

Daniel Sixto | dsixto

Just a random person with a natural curiosity for technological things.

If you happened to stumble across this, keep in mind I have this posted to reference at a later time.

I figured why not just consolidate this on my site and make it public.

If the content helps you out, then I am glad I was able to help in some way.

Beagle certificate
Designed By Daniel Sixto | 2026