# ------------------------------------------------------------- # SEGURIDAD BÁSICA DE NAVEGADOR # ------------------------------------------------------------- # Evita que el navegador intente adivinar tipos MIME Header always set X-Content-Type-Options "nosniff" # Previene ataques de clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Referrer-Policy (limita la información enviada en el encabezado Referer) Header always set Referrer-Policy "strict-origin-when-cross-origin" # Obliga a usar HTTPS (solo si tu sitio usa SSL) Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # ------------------------------------------------------------- # PERMISSIONS POLICY (ANTES Feature-Policy) # Controla las APIs y características disponibles en el navegador # ------------------------------------------------------------- Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=(), fullscreen=(self)" # ------------------------------------------------------------- # CONTENT SECURITY POLICY (CSP) # Define qué recursos puede cargar el navegador. # Ajusta las URLs de scripts, estilos, imágenes, etc. # ------------------------------------------------------------- Header always set Content-Security-Policy " default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https: data:; connect-src 'self' https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; "