I was fiddling around with securityheaders.com on my website, which was getting an "f" which made me sad. So I added a few directives to my webserver:
header {
-Server
-x-powered-by
Permissions-Policy interest-cohort=()
strict-transport-security "max-age=31536000; include-subdomains;"
X-Frame-Options DENY
X-Content-Type-Options nosniff
X-XSS-Protection "1; mode=block"
Referrer-Policy no-referrer-when-downgrade
}This had the nice effect of making my site go from an "F" to and "A". I didnt' bother with CSP, since I am not in a mood to configure it. But it also turned off the server type, and the version of the interpreter running underneath. Anyone using grav can see this but at least I make it harder for the automatic scanners to figure which version I am running.
At some point I will further harden things, but this was a fun little excercise.