# Security headers # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Prevent MIME type sniffing Header always set X-Content-Type-Options "nosniff" # Enable XSS protection Header always set X-XSS-Protection "1; mode=block" # Referrer policy Header always set Referrer-Policy "strict-origin-when-cross-origin" # Content Security Policy (adjust as needed) Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;" # Prevent directory listing Options -Indexes # Protect sensitive files Require all denied Require all denied # PHP security settings (if .htaccess can override) php_flag display_errors Off php_flag log_errors On php_value error_log error.log