тестировать тут + некоторые наброски в htaccess:
# XSS Protection Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" ##Header set X-Content-Security-Policy "allow 'self';" Header set X-Content-Type-Options "nosniff" Header add Strict-Transport-Security "max-age=157680000" Header unset X-Powered-By Header unset X-Pingback Header add X-Permitted-Cross-Domain-Policies: master-only
