Hey! It doesn't really matter how and where you set the header, as long as it is correctly returned to the web browser. If you're using Apache, you can use mod_headers like so: Header set Strict-Transport-Security "options" https://httpd.apache.org/docs/current/mod/mod_headers.html Not really related to HSTS, but since you are already using Apache then check out ModSecurity and the OWASP Core Ruleset as well, it will provide you a WAF (Web Application Firewall) capability to your Apache server and protect your PHP application from most obviously malicious input. https://owasp.org/www-project-modsecurity-core-rule-set/

Quite so! Enabling CORS blindly can have disastrous security consequences if one doesn't know what they're doing. I was also hoping to ease the pain for people banging their head against a wall just trying to get it to work. :D