HTTP Headers für eine https-Seite die nichts von anderen Seiten nachlädt:

<file txt /etc/apache2/conf-available/hardening.conf>
ServerSignature Off
ServerTokens Minimal
Header set Content-Security-Policy "default-src 'self';"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(self), microphone=()"
Header unset X-Powered-By
</file>

  a2enconf hardening

Testen: https://securityheaders.com