Options -Indexes -ExecCGI -FollowSymLinks
AllowOverride All
ServerTokens Prod
TraceEnable Off
# Content Security Policy (CSP)
Header set Content-Security-Policy` "script-src 'self'; object-src 'self'"
Header unset Content-Security-Policy
# Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
# HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
# Clickjacking
Header set X-Frame-Options "DENY"
Header unset X-Frame-Options
# Reflected Cross-Site Scripting (XSS) attacks
Header set X-XSS-Protection "1; mode=block"
Header unset X-XSS-Protection
# Server software information
ServerSignature Off
Header unset X-Powered-By
# Weak SSL protocols
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
ErrorLog /var/www/html/log/http.error