Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN

 #Header add Content-Security-Policy "default-src 'self';
#Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
#Header set Referrer-Policy "same-origin""
#Header Referrer-Policy: no-referrer-when-downgrade 

Header always set Content-Security-Policy "upgrade-insecure-requests;"