Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks. You can find more info on their site.
The optional enforce directive controls whether the browser should enforce the policy or treat it as report-only mode. The directive has no value so you simply include it or not depending on whether or not you want the browser to enforce the policy or just report on it.
The required max-age directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.
The report-uri directive specifies where the browser should send reports if it does not receive valid CT information. This is specified as an absolute URI.
Header unset ETag
Header unset Server
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-Content-Security-Policy "allow 'self';"
Header set X-Frame-Options DENY
Header set Cache-Control:public, max-age=31536000
Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t"
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
Header set Expect-CT enforce,max-age=30, report-uri="url" <--- You can gradually increase the max-age once you are confident that it has been set up properly
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
systemctl restart apache2