Security Headers

Per .htaccess

<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=31536000"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-Content-Type-Options "nosniff"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin" #optional, funktioniert nicht mit Warenkorb
  Header set Content-Security-Policy "default-src 'self'; font-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; "
</IfModule>

Für WordPress in der functions.php des Themes

if (!empty($_SERVER['HTTPS'])) {
	function en_hsts_header($headers) {
		$headers["Strict-Transport-Security"] = "max-age=31536000";
		$headers["X-Frame-Options"] = "SAMEORIGIN";
		$headers["X-Content-Type-Options"] = "nosniff";
		$headers["X-XSS-Protection"] = "1; mode=block";
		$headers["Referrer-Policy"] = "strict-origin";
		$headers["Content-Security-Policy"] = "default-src 'self'; object-src 'none'; frame-ancestors 'self'";
 
		return $headers;
	}
	add_filter('wp_headers', 'en_hsts_header');
}

s.a. andere sicherheitsrelevante Einstellungen in der functions.php und überflüssige Tags im WordPress-HTML-HEAD entfernen

Für TYPO3 im Setup

config.additionalHeaders {
  10.header = strict-transport-security:max-age=31536000
  20.header = X-Frame-Options:SAMEORIGIN
  30.header = X-Content-Type-Options: nosniff
  40.header = X-Xss-Protection: 1; mode=block
  50.header = Referrer-Policy:strict-origin
  60.header = Content-Security-Policy: default-src 'self'; font-src 'self'; object-src 'none'; form-action 'none'
}