We setup apache to set headers, like the X-Frame-Options.
But this doesn’t work for the 403 pages, only the Strict-Transport-Security works. On non-error pages, the headers are showing correctly in the browser/security scans
The headers are set to the virtual hosts and later also to the global apache configuration, without any luck.
The problem is that some security scans show warnings to the customers and the think the sites are unsafe.
Is it possible to set the headers, so 403 pages are also delivering this to the browsers?