由于到目前为止还没有人提到它，你必须删除每个标题前的 * 破折号 *！
我可以推荐Immuniweb来测试网站的安全性。它会告诉你哪些头文件不够严格，哪些已经过时，以及如何改进。在.htaccess中太多的配置会降低网站的速度，所以如果任何头文件过时，请在下面评论。

# Security Headers
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "no-referrer"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

• 或使用up 2date标题：*

<IfModule mod_headers.c>
      Header set X-Frame-Options "DENY"
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Content-Type-Options "nosniff"
      Header set X-Permitted-Cross-Domain-Policies "none"
      Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      Header set Referrer-Policy "no-referrer"
      Header set Permissions-Policy "accelerometer=()‚ autoplay=(self), camera=(), encrypted-media=(), fullscreen=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), interest-cohort=()"
      Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self'; report-uri /security-report.php"
</IfModule>