Header security, just one setting is OK:
Security Headers for
https://app.webinspector.com/recent_detectionsUsing user-agent for Chrome 31.0-WinXP 32-bit
Result Category Name Actual Value Our Recommendation
Missing Framing X-Frame-Options Use 'sameorigin'
Warning Transport Strict-Transport-Security max-age=15768000 Use 'max-age=31536000; includeSubDomains'
Missing Content X-Content-Type-Options Use 'nosniff'
Correct Content Content-Type text/html; charset=utf-8 Use 'text/html;charset=utf-8'
Missing XSS X-XSS-Protection Use '1; mode=block'
Warning Cookies Set-Cookie risk=; path=/; expir...ov-2014 17:23:07 GMT Add 'secure; httponly;'
Warning Cookies Set-Cookie list=50; path=/; exp...ov-2014 17:23:07 GMT Add 'secure; httponly;'
Warning Cookies Set-Cookie _WI_session=e6a0e0ce...:38:07 GMT; HttpOnly Add 'secure;'
Warning Caching Cache-Control max-age=0, private, must-revalidate Add 'no-cache, no-store'
Missing Caching Pragma Use 'no-cache'
Missing Caching Expires Use '-1'
Missing Access Control X-Permitted-Cross-Domain-Policies Use 'master-only'
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src 'self', avoid 'unsafe-inline' and 'unsafe-eval'
Other Headers
Name Value
ETag "c590764761591ea9e394ca9051561269"
X-Request-Id 7f0ba18b65fc97db2780b66f2d4c2f97
X-UA-Compatible IE=Edge,chrome=1
Date Mon, 27 Oct 2014 17:23:07 GMT
X-Rack-Cache miss
Connection Keep-Alive
Status 200
Keep-Alive timeout=5, max=100
Content-Length 25140
Server Apache
polonus