If .htaccess is not proper used because PHP is loaded as CGI
Well it takes a time, but now after some investigation the code to make the side more save it rather simple. Just add to you php file the following lines and it’s working.
<?php
...
header("X-XSS-Protection: 1; mode=block");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header('Strict-Transport-Security: "max-age=63072000" env=HTTPS');
header('Content-Security-Policy: default-src "self"');
header("X-Frame-Options: DENY");
...
?>
that’s it. Now the website is at least to the standard and published protection mechanismn secured. Alternative you can use the “http headers” plugin.
Update: Finally after checking a lot of themes I could get ride of google fonts and the site now looks very clean. Check on observatory shows, at the moment the site looks good protected.