Selected security lines for .htaccess

1. # SiteGround adds this:
2. # https://www.siteground.co.uk/blog/vary-http-header/
3. # SGO Unset Vary
4. Header unset Vary
5. # SGO Unset Vary END
6.  
7. # Tell browsers to always use https.
8. # This can be done through Site Tools > Security > HTTP Enforce.
9. # Not all browsers honour this, but some do, and Google likes it.
10. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
11.  
12. # Bonus bunch of security items. Some might be unsuitable for your specific website.
13. Header always set Content-Security-Policy "upgrade-insecure-requests"
14. Header set X-XSS-Protection "1; mode=block"
15. Header always set X-Content-Type-Options "nosniff"
16. Header always append X-Frame-Options SAMEORIGIN
17. Header set Referrer-Policy "no-referrer-when-downgrade"
18. Header always set Permissions-Policy "fullscreen=(self)"
19. # End of bonus bunch of security items.
20.  
21. # The following section forces https always everywhere, even on "hidden" items, e.g. CSS.
22. # SiteGround adds this if you select the right option, but you can add it manually.
23. # HTTPS forced by SG-Optimizer
24. <IfModule mod_rewrite.c>
25. RewriteEngine On
26. RewriteBase /
27.  
28. RewriteCond %{HTTP:X-Forwarded-Proto} !https
29. RewriteCond %{HTTPS} off
30. RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
31. </IfModule>
32. # END HTTPS