Security headers for web apps

[Erulezz]

I would like to suggest to enable the following headers by default for web apps (roundcube etc);

X-XSS-Protection "1; mode=block"
X-Frame-Options SAMEORIGIN
X-Content-Type-Options: "nosniff"
Referrer-Policy to none

For example in nginx webapps_settings.conf.

The referrer policy.. For obvious reasons

 

[LawsHosting]

You can also use a .htaccess in /var/www/html/ for Apache manually.