.htaccess
Apache Security Headers Snippet
Opinionated starter for security headers. Covers X-Frame-Options, X-Content-Type-Options, Referrer-Policy and a basic Permissions-Policy. Includes a commented starter CSP line you can tune later.
Usage notes
Paste this into your site’s .htaccess (or into the Apache vhost config) to send basic security headers with every response.
Always test on staging first. CSP can be strict; if you enable it too early you might block fonts, scripts or CDNs you rely on.
Copy this snippet into your project
Use the full version for learning, or copy it without comments when you just want the bare code.
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set X-XSS-Protection "1; mode=block"
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
# Basic Content-Security-Policy starter (tune for your site)
# Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline';"
Tags
#security
#headers
#apache
#htaccess
#csp