Hello, I'm running apache 2.4. I've got a question on headers, should the below be set in a global context in a configuration file? Or should they be in set in each virtual host context and wrapped in IfModule statements? Also, are these headers correct? <IfModule mod_headers.c> Header unset ETag FileETag None Header unset Server Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header set X-Content-Security-Policy "allow 'self';" Header always set Referrer-Policy "no-referrer-when-downgrade" Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' " Header set X-Frame-Options DENY Header set Cache-Control:public, max-age=31536000 Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t" Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" Header set Expect-CT enforce,max-age=30, report-uri="url" <--- You can gradually increase the max-age once you are confident that it has been set up properly </IfModule> Thanks. Dave. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx