Moderator
t-p
(@t-p)
I performed a header check against my site from…
To rule out a plugin conflict, try disabling and ALL plugins and then check again.
It came back with some issues – missing headers.
What specific headers are missing?
Strict-Transport-Security, Content-Security-Policy, X-Frame-Options X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Ideally, these should be set at the web server level.
But if you don’t have the necessary access or skill to do that, there are a couple of WordPress plugins that allow you to add/remove/change HTTP response headers.
Here’s one: https://ww.wp.xz.cn/plugins/headers-security-advanced-hsts-wp/
But there are more: https://ww.wp.xz.cn/plugins/search/csp/
Be careful adding these security-related headers willy-nilly though: as improper implementation WILL break your site.
Good luck!
For the record, I fixed this by adding headers to Apache .htaccess file. For example:
Header always set X-Frame-Options "SAMEORIGIN"
