<IfModule headers_module>
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection: "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff"
Header set Content-Security-Policy: "script-src 'self'"
Header set strict-transport-security: "max-age=31536000; includeSubdomains"
</IfModule>
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection: "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff"
Header set Content-Security-Policy: "script-src 'self'"
Header set strict-transport-security: "max-age=31536000; includeSubdomains"
</IfModule>
Combine this with
ServerTokens ProductOnly
ServerSignature Off
ServerSignature Off
in /etc/apache/apache2.conf
and
expose_php = off
in /etc/php5/apache2/php.ini
Check your security with https://securityheaders.io/