If .htaccess is not proper used because PHP is loaded as CGI
Well it takes a time, but now after some investigation the code to make the side more save it rather simple. Just add to you php file the following lines and it’s working.
<?php ... header("X-XSS-Protection: 1; mode=block"); header("X-Frame-Options: SAMEORIGIN"); header("X-Content-Type-Options: nosniff"); header('Strict-Transport-Security: "max-age=63072000" env=HTTPS'); header('Content-Security-Policy: default-src "self"'); header("X-Frame-Options: DENY"); ... ?>
that’s it. Now the website is at least to the standard and published protection mechanismn secured. Alternative you can use the “http headers” plugin.
Update: Finally after checking a lot of themes I could get ride of google fonts and the site now looks very clean. Check on observatory shows, at the moment the site looks good protected.