# Prevent clickjacking (forbids framing by third-party sites) Header set X-Frame-Options sameorigin # Prevent content sniffing (MIME sniffing) Header set X-Content-Type-Options nosniff # Attempt to enable XSS filters in browsers, if available, and block reflected XSS Header set X-XSS-Protection "1; mode=block" # Cache media files for a month Header set Cache-Control max-age=2629800 # Remove response headers that provide no value but leak information Header unset X-Powered-By # Disable "ETag" headers so that browsers rely on the "Cache-Control" and "Expires" headers Header unset ETag # Turn off directory listings for folders without default documents Options -Indexes # Disable 'MultiViews' implicit filename pattern matches Options -MultiViews RedirectMatch 403 /.git/.*$ Require all denied Require all denied