A deep analysis of the configuration of any SSL web server on the public Internet can be done here:
https://www.ssllabs.com/ssltest/index.html
Security Headers is another test that shows and helps to fix some website security issues. The website tool I used for it is:
Initially, after I have implemented HSTS on my website, the result on https://securityheaders.com/ I got was F, and on SSL Labs only B.
If your website has HSTS inactive, please read my article How to activate HSTS on apache server and follow the steps to activate it because A+ score is conditioned by its existence.
So, I made some research and I found that to improve the security score for my website I have to reconfigure my SSL vhost.
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Feature-Policy "microphone 'none'; sync-xhr 'self' https://www.criscond.co.uk"
Header set Content-Security-Policy "default-src https:;"
Header set Content-Security-Policy "img-src criscond.co.uk;"
Header set Content-Security-Policy "script-src https: 'unsafe-inline' criscond.co.uk;"
Header set Content-Security-Policy "style-src https: 'unsafe-inline' criscond.co.uk fonts.googleapis.com;"
Header set Content-Security-Policy "font-src https: data: criscond.co.uk fonts.gstatic.com;"
X-Frame-Options (XFO), is an HTTP response header, also referred to as an HTTP security header, which has been around since 2008. In 2013 it was officially published as RFC 7034, but is not an internet standard. This header tells your browser how to behave when handling your site's content. The main reason for its inception was to provide clickjacking protection by not allowing rendering of a page in a frame. This can include rendering of a page in a <frame>, <iframe>, or <object>.
The following HTTP response header can be used to prevent MIME-sniffing
The Referrer-Policy HTTP header specifies the referrer policy that the user agent applies when determining what referrer information should be included with requests made, and with browsing contexts created from the context of the protected resource
Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Being able to restrict the features your site can use is really nice but being able to restrict features that sites you embed can use is even better protection to have.
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
Please find below a template for all those I have already mentioned.
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Feature-Policy "microphone 'none'; sync-xhr 'self' https://www.%domain_idn%"
Header set Content-Security-Policy "default-src https:;"
Header set Content-Security-Policy "img-src %domain_idn% *.cloudflare.com;"
Header set Content-Security-Policy "script-src https: 'unsafe-inline' %domain_idn% *.cloudflare.com;"
Header set Content-Security-Policy "style-src https: 'unsafe-inline' %domain_idn% *.cloudflare.com fonts.googleapis.com;"
Header set Content-Security-Policy "font-src https: data: %domain_idn% *.cloudflare.com fonts.gstatic.com;"
After all these changes have been made, restart your server and re-run the tests.
That is all!
Thank you for your time!