Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
Header always set Referrer-Policy strict-origin
+ Header always set X-Frame-Options sameorigin
<Directory /srv/web/ipfire/html>
Options ExecCGI