WordPress Security Headers needed for Payment Gateways

Apache2 Security Headers

<IfModule mod_headers.c>
    Header add Strict-Transport-Security "max-age=31415926; includeSubDomains;"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
	Header set X-XSS-Protection "1; mode=block"
	Header always set Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
	Header set Content-Security-Policy "default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; script-src 'self' 'unsafe-inline' https:; style-src 'self' https:;"
	Header set Feature-Policy "geolocation 'self'; vibrate 'none'; payment 'self'; autoplay 'self'"
</IfModule>

For more information about these security headers, read https://www.plesk.com/blog/various/wordpress-security-headers//

Checking your HTTP Headers

Run the following command:

curl -IL <your-website>

You should get the following message in the output:

content-type: text/html; charset=UTF-8\
x-frame-options: SAMEORIGIN
referrer-policy: no-referrer, strict-origin-when-cross-origin
vary: Accept-Encoding
strict-transport-security: max-age=31415926; includeSubDomains;
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; script-src 'self' 'unsafe-inline' https:; style-src 'self' https:;
feature-policy: geolocation 'self'; vibrate 'none'; payment 'self'; autoplay 'self'