Hi, @schoen and others,
Recently, I got a SSL certificate from “Let’s Encrypt”. I put my ‘https’ website through the observatory.mozilla.org set of tests and I got a wide range of results: from “F” to “A+”.
I have used advice given to me on this forum and after adding “HSTS" rules to my .htaccess file, my test results improved (“E” to “A+”). Then, I also added “Content-Security-Policy”, but that did not change my ratings any further.
So, my question is whether “Content-Security-Policy” rules can be implemented by way of .htaccess file, or must they be implemented server-wide to take effect? Same question applies to “X-Frame Options”, “X-XSS-Protection”, “X-Content-Type-Options”, “Referrer-Policy” and “Public-Key-Pins”?
Thank you very much, in advance…