diff --git a/roles/apache/templates/secure-ssl.conf b/roles/apache/templates/secure-ssl.conf
index de2cbcb..a278cba 100644
--- a/roles/apache/templates/secure-ssl.conf
+++ b/roles/apache/templates/secure-ssl.conf
@@ -1,17 +1,31 @@
 SSLEngine               off
 SSLProtocol             all -SSLv2 -SSLv3
 SSLHonorCipherOrder     on
 SSLCompression          off
 
 # Ciphers we're allowed to use
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
 # OCSP configuration
 SSLUseStapling          on
 SSLStaplingResponderTimeout 5
 SSLStaplingFakeTryLater off
 SSLStaplingReturnResponderErrors off
 SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
-# Use HSTS                                                                                                                                                                                                                       
-Header always add Strict-Transport-Security "max-age=15768000"
+# Use HSTS and other relevant headers
+Header always set Strict-Transport-Security "max-age=15768000"
+Header always setifempty Referrer-Policy "strict-origin-when-cross-origin"
+Header always setifempty X-XSS-Protection "1; mode=block"
+Header always setifempty X-Content-Type-Options "nosniff"
+Header always setifempty X-Frame-Options "sameorigin"
+
+# Make sure anything in the 'onsuccess' table is moved out of the way for the above headers
+# This works around an Apache oddity in the way it handles setting headers
+# The only module known to use the 'onsuccess' table is proxy_http, so in practice this has minimal risk for us
+# proxy_fcgi (for PHP) and regular CGI scripts use the always table and will be covered by the above
+Header onsuccess unset Strict-Transport-Security
+Header onsuccess unset Referrer-Policy
+Header onsuccess unset X-XSS-Protection
+Header onsuccess unset X-Content-Type-Options
+Header onsuccess unset X-Frame-Options