Introduction
If you want to add nosniif, CORS, HTTP Strict-Transport-Security, Clickjack, and X-Xss-Protection headers to a particular user or domain you can add them using the user level Apache includes. It is best to use the Apache includes because they may not get applied when added in .htaccess files.
If you're looking for a document on adding these headers for all domains including the server IP then please refer to: PCI failure - Insecure configuration of Cookie attributes using /etc/apache2/conf.d/includes/pre_main_global.conf instead of user and domain includes below.
Procedure
You first need to create the paths for the includes if they do not already exist. Let's say the user name is fastcar and the domain is fastcar.com you would create the following paths like this
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/fastcar/fastcar.com/
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/fastcar/fastcar.com/
Next, you can create a .conf file and place it in either /etc/apache2/conf.d/userdata/ssl/2_4/fastcar/ to be loaded for all domains under the user fastcar or you can create a .conf file for just one domain by creating the domains folder under that user and place the .conf file in that folder. In this example, the .conf file will be for fastcar.conf.
The files then to create would be uniquely named something like
/etc/apache2/conf.d/userdata/ssl/2_4/fastcar/fastcar.com/headers.conf
and
/etc/apache2/conf.d/userdata/std/2_4/fastcar/fastcar.com/headers.conf
Note: one has std for port 80 and one has ssl for port 443 ssl access
Then in each file put the following content:
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options "nosniff"
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
# Add CORS-Header
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET"
# HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Clickjack Attack
Header always set X-Frame-Options "SAMEORIGIN"
# X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
# Header Injection
Header unset X-Forwarded-Host
</IfModule>
ProxyAddHeaders Off
If you need to make POST requests to other domains, the allowed methods will need to include POST like so.
Header set Access-Control-Allow-Methods "GET, POST"
If you want this included with all accounts and domains then instead
mkdir -p /etc/apache2/conf.d/userdata/
and create a file of
/etc/apache2/conf.d/userdata/headers.conf
with the above contents.
Then we need to rebuild httpd.conf so those includes get added with
/scripts/rebuildhttpdconf
and then APache restart with
/scripts/restartsrv_httpd