.htaccess Security Headers
The below headers can be added to any site’s .htaccess (with modifications) to help make it more secure. They can also be set on the server in the apache security.conf file.
By wary of the Content-Security-Policy as this is the one most likely to break a site and will need heavily modified to include all the scripts and style libraries you use on your website.
# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Referrer-Policy 'same-origin'
# Header set Feature-Policy "geolocation 'self'; fullscreen 'self' https://www.google.com;"
Header set Permissions-Policy "microphone=(), camera=(), geolocation=(self), fullscreen=(self \"https://www.youtube.com\"), accelerometer=(self \"https://www.youtube.com\"), autoplay=(self \"https://www.youtube.com\"), clipboard-write=(self \"https://www.youtube.com\"), encrypted-media=(self \"https://www.youtube.com\"), gyroscope=(self \"https://www.youtube.com\")"
Header set Expect-CT enforce,max-age=2592000,report-uri="https://www.example.com/report"
Header add Content-Security-Policy "default-src 'self' *.youtube.com *.youtube-nocookie.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com *.doubleclick.net *.googletagmanager.com *.google-analytics.com *.google.com; connect-src 'self' *.google-analytics.com; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com *.googleapis.com; script-src 'self' *.youtube.com *.youtube-nocookie.com *.google-analytics.com *.google.com *.googleapis.com *.googletagmanager.com *.jquery.com *.bootstrapcdn.com 'unsafe-inline';"
SetEnvIf Origin "http(s)?://(www\.)?(example.co.uk|youtube.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
These can be tested here : https://www.serpworx.com/check-security-headers/
Content Security Policy can be tested before hand by using
Content-Security-Policy-Report-Only
https://www.uriports.com/blog/creating-a-content-security-policy-csp/
More Reading for the new permissions policy header which replaces the Feature Policy header.
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/