I was asked (a long time ago - sorry Troy!) for a copy of the base security headers we currently use in the .htaccess file of our site and our clients' sites.
Keeping in mind that your mileage may vary depending on your server and the needs or configuration of your website, here they are:
Code:
#Allow Your Site To Be Framed Or Not
Header always set X-Frame-Options "SAMEORIGIN"
#(HSTS) Policy Enforces The Use Of HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;" env=HTTPS
#Set How Much Info Is Leaked When Linking Off Site
#Header set Referrer-Policy "Same-Origin"
#Control Which Features Can Be Used In The Browser
Header set Permissions-Policy: "geolocation=(), microphone=()"
#Stops Browsers MIME Sniffing The Content Type
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
#Set the content security policy
<FilesMatch "\.svg$">
<IfModule mod_headers.c>
Header always set Content-Security-Policy "script-src 'none'"
</IfModule>
</FilesMatch>
<IfModule mod_autoindex.c>
IndexIgnore *
</IfModule>