I check my customers’ websites for their technical security for GDPR. What’s really bad on all websites are the HTTP headers. SIWECOS* recommends the following settings for the .htaccess file:
#START HTTP Security header #Content Security Policy-CSP-HEADER # Download content only from sites explicitly allowed # Example: Allow everything from your own domain, no externas: Header set content security policy ' default-src ' none '; Frame-src ' self '; Font-src ' self '; img-src ' self '; object-src ' self '; script-src ' self '; Style-src ' self '; ' #HTTP Content Types AddCharset UTF-8 .html #Public Key Pins Header set public key pins "pin-sha256="base64+primary = = "; Pin-sha256="base64+backup = = "; Max-age-up 5184000; includeSubDomains " #Strict Transport Security Header set Strictly transport security "max-agetures 336000; includeSubDomains " #X Content Type Options Header always set X-content type options "nosniff" #X frame options Header always set X-frame options "SAMEORIGIN" #X-Xss Protection Header always set X-Xss-Protection "1; Fashion = block " #Referrer policy Header set referrer policy "strict-origin" #END HTTP Security header
Watch out for the first block (CSP header)! You have to adjust it or take it out, otherwise your website will no longer work. Under this link, you can generate your CSP header: https://report-uri.com/home/generate
It is best to adjust this template until it fits at SIWECOS .
* SIWECOS is a free website monitoring service and highly recommended. For more information, visit https://siwecos.de
I would appreciate your feedback