Adding Response Headers for Security

I'm looking to add some HTTP Response Headers for security, such as the ones below. I don't see a place within the Concrete5 front end to add these headers, and can't seem to find the file they're generated from while digging around in the back end. What's the best practice here?

(Examples copied from )

strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

View Replies: View Best Answer
Mnkras replied on at Permalink Reply
We do set x-frame-options, but the other ones aren't set by default (I don't think) but you can pretty easily set the via a middleware, this is the one for x-frame-options:
PaulMuadDib replied on at Permalink Reply
If you are using apache you can add them by editing .htaccess file. See the link below. It is about word press but same applies to C5 as well.
mnakalay replied on at Permalink Best Answer Reply
There actually a free add-on for that:
Steevb replied on at Permalink Reply
I've been playing with the .htaccess settings for few weeks, didn't quite get all the green lights. Finding this thread and then using the add-on has been a massive boost and is so easy to set up. Headache over. Thank you.
Steevb replied on at Permalink Reply
BTW: The site in question is using c5 8.5.4, PHP 7.4.14, Server ‘LightSpeed’ and ‘' gives ‘A’ for all except first time byte.