—————————–
/etc/apache2/conf-enabled/security.conf
ServerSignature Off
ServerTokens Prod
—————————–
/etc/apache2/mods-enabled/ssl.conf
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLStrictSNIVHostCheck Off
SSLCompression off
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(128000)
—————————–
vhost conf
Protocols h2 http/1.1
SSLUseStapling on
SSLStaplingReturnResponderErrors off
SSLStaplingResponderTimeout 5
Header always set Strict-Transport-Security „max-age=63072000; includeSubDomains; preload“
Header always set X-Frame-Options DENY
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection „1; mode=block“
Header always set Referrer-Policy „strict-origin“
Header set Content-Security-Policy-Report-Only „upgrade-insecure-requests; default-src ‚self‘; frame-ancestors ‚none‘; script-src ‚self‘ https://www.googletagmanager.com https://cdnjs.cloudflare.com https://www.google-analytics.com ‚unsafe-inline‘ about:; img-src ‚self‘ data: blob:; style-src ‚self‘ ‚unsafe-inline‘ https://fonts.googleapis.com https://fonts.gstatic.com“
Header always unset „X-Powered-By“
Header unset „X-Powered-By“