Well I got into some interesting spaces when I found this site :
https://securityheaders.com
and https://hstspreload.org
In order to get an A+ rating for my blog, I went through all the suggested routines and while I won’t detail them, below is what I have landed on for what works on my WordPress site.
Inject this into your .htaccess file on your Apache webserver
Header set Content-Security-Policy “upgrade-insecure-requests”
Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
Header set X-Xss-Protection “1; mode=block”
Header set Referrer-Policy “strict-origin”
Header set Permissions-Policy “geolocation=self”
Header set Access-Control-Allow-Origin “https://*yoursite.com*”
Header set Cross-Origin-Embedder-Policy “unsafe-none”
Header set Cross-Origin-Opener-Policy “unsafe-none”
Header set Cross-Origin-Resource-Policy “same-site”