Examples:
security headers

Practical use:
– The file .htaccess just works well for Apache without restart of the web server;
– Having Nginx in front, use of .htaccess may reduce performance;
– In DirectAdmin additional httpd configuration and afterward reload of httpd/Apache
(restart would kill web sessions);
– In Plesk additional apache/nginx configuration does immediately kill websessions by restart web sessions for all domains after each change for one of the domains;
– Ctrl-F5 clears cache in Chrome of a page plus Content Security Policy of that page;
– Caching by web browsers can be avoided in the header section of each web page:
see nocaching.txt

Check and read explanation:
https://securityheaders.com
https://observatory.mozilla.org
Note: learn from other sites. And F12 for messages in red in the webbrowser.

Security header plugin for WordPress:
A plugin, however intended well, causes set up to become out of control: WP Content Security Policy Plugin

Evaluate for coming Content Security Policy:
https://csp-evaluator.withgoogle.com

Advanced checking:
https://www.immuniweb.com/ssl/