Securityheaders in .htaccess

Bas

Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-Xss-Protection '1; mode=block'
Header always set Referrer-Policy 'no-referrer'
Header always set Cache-Control 'max-age=2628000'
Header always set X-Powered-By ComputerBas
Header always set X-Permitted-Cross-Domain-Policies 'master-only'
Header always set X-Download-Options 'noopen'
Header always set X-Powered-By ComputerBas
Header always set Expect-CT max-age=0
Header always set Expect-Staple 'max-age=31536000; includeSubDomains; preload'
Header always set Accept-Ranges bytes
Header always set Allow "GET, POST"
Header always set X-DNS-Prefetch-Control on
Header always set X-Robots-Tag all
Header always set Trailer Max-Forwards
Header always set Tk ?
Header always set X-UA-Compatible IE=edge,chrome=1
Header always set X-AspNet-Version ComputerBas
Header always set Access-Control-Allow-Origin https://yourwebsite.nl
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Methods "POST, GET"
Header always set Access-Control-Allow-Headers "origin"
Header always set Access-Control-Request-Method "POST, GET"
Header always set Access-Control-Request-Headers "X-PINGOTHER, Content-Type"
Header always set Access-Control-Max-Age 3600
Header always set Access-Control-Expose-Headers: Content-Length
Header always set cross-origin-embedder-policy "unsafe-none"
Header always set cross-origin-opener-policy "unsafe-none"
Header always set cross-origin-resource-policy "cross-origin"
Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' https://fonts.googleapis.com; img-src data: 'self'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; media-src 'none'; manifest-src 'none'; base-uri 'none'; form-action 'none'; child-src 'none'; upgrade-insecure-requests;"
Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), midi=(),fullscreen=()"
Header always set Set-Cookie __Secure-sessionid=blabla;Path=/;Secure;HttpOnly;SameSite=Strict
SetEnv no-gzip 1