Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header set Permissions-Policy "geolocation=self"