//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+ $headerCSP = "Content-Security-Policy: script-src 'self' https://apis.google.com http://maps.googleapis.com https://apis.google.com http://www.google-analytics.com/; base-uri 'self'";// allows css from self and inline allows inline css //Sends the Header in the HTTP response to instruct the Browser how it should handle content and what is whitelisted //Its up to the browser to follow the policy which each browser has varying support //header($headerCSP); //X-Frame-Options is not a standard (note the X- which stands for extension not a standard) //This was never officially created but is supported by a lot of the current browsers in use in 2015 and will block iframing of your website header('X-Frame-Options: SAMEORIGIN'); header('X-UA-Compatible: IE=edge'); if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) { //header('Content-Encoding: gzip'); } header("X-XSS-Protection: 1; mode=block"); ?>