Frequently Asked Question
Security Headers (CSP)
Last Updated 23 days ago
Analyse (mini): https://securityheaders.com/
Analyse (detailliert): https://webbkoll.dataskydd.net
Blogbeitrag: https://www.roundaboutweb.net/sicherheit/security-headers-fuer-wordpress-einrichten/
Eintragung in .htaccess:
Stand Oktober 2025:
### 21.10.2025 | Round About WEB | Header Security ###
<IfModule mod_headers.c>
Header set Access-Control-Allow-Methods "GET,POST"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'none'; form-action 'self'; worker-src blob:; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src 'self' data: https://s.w.org https://ps.w.org https://secure.gravatar.com; connect-src 'self' https://sourcemap.devowl.io"
Header set Cross-Origin-Embedder-Policy "unsafe-none; report-to='default'"
Header set Cross-Origin-Embedder-Policy-Report-Only "unsafe-none; report-to='default'"
Header set Cross-Origin-Opener-Policy "unsafe-none"
Header set Cross-Origin-Opener-Policy-Report-Only "unsafe-none; report-to='default'"
Header set Cross-Origin-Resource-Policy "cross-origin"
Header set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{SERVER_PORT} == 443"
Header set X-Content-Security-Policy "default-src 'self'; img-src *; media-src * data:;;"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set X-XSS-Protection "1; mode=block"
</IfModule>
# END Headers Security Stand 16.05.2019:
### 16.05.2019 | Round About WEB | Security Headers ###
<ifmodule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set Referrer-Policy "same-origin"
Header set X-XSS-Protection "1; mode=block"
Header set x-frame-options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Feature-Policy "none"
Header set Content-Security-Policy "self"
Header set Permissions-Policy "accelerometer=(), autoplay=(self), camera=(), encrypted-media=(), fullscreen, geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(); payment=(), picture-in-picture=('self'), usb=()"
</ifmodule>
