Options -Indexes -ExecCGI -FollowSymLinks AllowOverride All ServerTokens Prod TraceEnable Off # Content Security Policy (CSP) Header set Content-Security-Policy` "script-src 'self'; object-src 'self'" Header unset Content-Security-Policy # Reducing MIME type security risks Header set X-Content-Type-Options "nosniff" # HTTP Strict Transport Security (HSTS) Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" # Clickjacking Header set X-Frame-Options "DENY" Header unset X-Frame-Options # Reflected Cross-Site Scripting (XSS) attacks Header set X-XSS-Protection "1; mode=block" Header unset X-XSS-Protection # Server software information ServerSignature Off Header unset X-Powered-By # Weak SSL protocols SSLProtocol all -SSLv2 -SSLv3 -TLSv1 ErrorLog /var/www/html/log/http.error