.htaccess

<LimitExcept GET POST>
Deny from all
</LimitExcept>
Options -Indexes
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
php_flag register_globals off
php_flag magic_quotes_gpc true
php_flag display_errors Off
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header set Strict-Transport-Security "max-age=63072000"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self' 'unsafe-inline'; img-src 'self' data: blob: *.openstreetmap.org 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
<FilesMatch "\.(ico|flv|jpg|jpeg|png|gif|js|css|svg)$">
    Header set Cache-Control "max-age=604800, private"
</FilesMatch>
<FilesMatch ".*openstreetmap.*\.png$">
    Header set Cache-Control "max-age=2592000, public"
</FilesMatch>