Fix Missing Security Headers on Apache

Apache can emit security headers with mod_headers via Header set or Header always set in .htaccess or a <VirtualHost>. Without them, browsers fall back to permissive defaults and your site may fail an audit or corporate policy scan.

Order matters: enable the module, then add one block per directive family (HSTS with a sane max-age, a concrete CSP instead of wildcards, X-Frame-Options or frame ancestors in CSP). Test on staging because a typo can take down CSS or scripts.

Compare Nginx and Vercel. HeadersFixer reads your deployment and suggests the exact Apache lines.