Add this snippet to .htaccess
# Really Simple SSL Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Expect-CT "max-age=7776000, enforce" Header always set Referrer-Policy: "no-referrer-when-downgrade" # End Really Simple SSL
- HSTS – When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on.
- Upgrade-Insecure-Requests – This header is an additional method to force requests to your own domain over https://.
- X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe).
- X-XSS-Protection – Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected.
- Expect-CT, Certificate Transparency – A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework., preventing fraud.
- No Referrer When Downgrade header – Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP).