diff --git a/src/Handler.php b/src/Handler.php
index 7457e49d8f4c3c4f4f9a1e6779f6dc3dcdffa136..5ea429a49c1cc12b7e502790c6655e4c3715933f 100644
--- a/src/Handler.php
+++ b/src/Handler.php
@@ -120,6 +120,16 @@ class Handler extends BaseHandler {
       'webserver' => [
         'type' => 'apache',
         'overwriteconfig' => FALSE,
+        'responseheader' => [
+          'server' => '',
+          'strict_transport_security' => 'max-age=31536000; includeSubDomains',
+          'referrer_policy' => 'same-origin',
+          'permissions_policy' => 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=()',
+          'cross_origin_embedder_policy' => 'unsafe-none',
+          'cross_origin_opener_policy' => 'same-origin',
+          'cross_origin_resource_policy' => 'cross-origin',
+          'x_permitted_cross_domain_policies' => 'none',
+        ],
       ],
       'mailhog' => [
         'enable' => 0,
diff --git a/templates/docker-compose.yml.twig b/templates/docker-compose.yml.twig
index 6faa1de4490c3e81f83eef96fd5071df28609356..a4dffcbf8385ba4b793ddbe4a3712f55f2922f0c 100644
--- a/templates/docker-compose.yml.twig
+++ b/templates/docker-compose.yml.twig
@@ -49,10 +49,8 @@ services:
     restart: unless-stopped
 {% endif %}
     environment:
-{% if mailhog.enable %}
-      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
-{% elseif mailpit.enable %}
-      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailpit:1025
+{% if mailhog.enable or mailpit.enable %}
+      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S {% if mailhog.enable %}mailhog{% else %}mailpit{% endif %}:1025
 {% endif %}
       DB_HOST: mariadb
       DB_USER: drupal
@@ -153,6 +151,17 @@ services:
     labels:
       traefik.enable: 'true'
       traefik.docker.network: traefik-public
+      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {{ webserver.type }}-{{ projectname }}-headers@docker{% if basicauth.enable %},{{ webserver.type }}-{{ projectname }}-auth@docker{% endif %}{% for domain in extradomains %},{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
+
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.server: '{{ webserver.responseheader.server }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.strict-transport-security: '{{ webserver.responseheader.strict_transport_security }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.referrer-policy: '{{ webserver.responseheader.referrer_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.permissions-policy: '{{ webserver.responseheader.permissions_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-embedder-policy: '{{ webserver.responseheader.cross_origin_embedder_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-opener-policy: '{{ webserver.responseheader.cross_origin_opener_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.cross-origin-resource-policy: '{{ webserver.responseheader.cross_origin_resource_policy }}'
+      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-headers.headers.customresponseheaders.x-permitted-cross-domain-policies: '{{ webserver.responseheader.x_permitted_cross_domain_policies }}'
 {% if basicauth.enable %}
       traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-auth.basicauth.users: {{ basicauth.code }}
 {% endif %}
@@ -162,18 +171,6 @@ services:
       traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls: 'true'
       traefik.http.routers.{{ webserver.type }}-{{ projectname }}.tls.certresolver: lakedrops
 {% endif %}
-{% if extradomains|default([]) and basicauth.enable %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
-      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %},{{ webserver.type }}-{{ projectname }}-auth@docker
-{% elseif extradomains|default([])|length == 1 %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-redirectregex1@docker
-{% elseif extradomains|default([]) %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-middleware
-      traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-middleware.chain.middlewares: {% for domain in extradomains %}{% if loop.index > 1 %},{% endif %}{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}@docker{% endfor %}
-
-{% elseif basicauth.enable %}
-      traefik.http.routers.{{ webserver.type }}-{{ projectname }}.middlewares: {{ webserver.type }}-{{ projectname }}-auth@docker
-{% endif %}
 {% for domain in extradomains|default([]) %}
       traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.regex: "^https://{{ domain }}/(.*)"
       traefik.http.middlewares.{{ webserver.type }}-{{ projectname }}-redirectregex{{ loop.index }}.redirectRegex.replacement: "https://{{ projectdomain }}/$${1}"