Hi @khemlanimart
Can you post here those headers?
Also, are you sure the module you mention above is loaded on your server?
Hi. The headers I have added are:
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Referrer-Policy origin
Content-Security-Policy default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src https:; child-src ‘none’
Feature-Policy camera ‘self’; domain ‘self’; payment ‘self’
When I go into my .htaccess I see:
# END WordPress
# BEGIN HttpHeaders
# The directives (lines) between BEGIN HttpHeaders and END HttpHeaders are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_headers.c>
Header always set X-Content-Type-Options “nosniff”
<FilesMatch “\.(php|html)$”>
Header set X-Frame-Options “SAMEORIGIN”
Header set X-XSS-Protection “1; mode=block”
Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src https:; child-src ‘none'”
Header set Referrer-Policy “origin”
Header set Feature-Policy “camera ‘self’; domain ‘self’; payment ‘self'”
</FilesMatch>
</IfModule>
I restarted the server as well
Now, you need to ensure you have the mod_headers module loaded and worked. To do so run the following command:
apache2ctl -M
If you can’t access command-line, the easiest way is to put a comment sign in front of start and end IfModule statement in your .htaccess file. If module is not loaded you will get a 500 Internal Server Error. If so, first remove the comments and error will disappear, then you need to activate/load the mod_headers module.
# <IfModule mod_headers.so>
...
# </IfModule>
If no error occurs, the module should be loaded.
The other thing that could possibly stops .htaccess rules is to have the following directive in your server httpd.conf file:
AllowOverride None
If that’s the case, nothing from .htaccess will works. Need to be changed to:
AllowOverride All
-
This reply was modified 5 years, 11 months ago by
Dimitar Ivanov. Reason: clarification
@zinoui Thanks so much for the help, but it’s still not working. I ran apache2ctl -M and got back
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
I couldn’t find a httpd.conf but I found apache2.conf and changed the following:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
AllowOverride was originally None. I restarted the apache2 service after doing this and ran sudo a2enmod rewrite both of which were successful.
I also tried commenting out <IfModule mod_headers.c> (not “.so” which I dont seem to have) and that caused a 500 Internal Server Error for the website :/. Is there anything else you could think of that could locate the problem?
I also tried switching to PHP, which worked but caused errors with some of my plugins
Ok. I was able to get it by switching over to PHP (deprecated).
I can’t see the headers_module in the list returned from apache2ctl -M command. To make it work you need to enable that module.
Of course, PHP mode is also an option.
Regards,
@zinoui Agreed. How do I add the module though, do I do it manually?
In the Apache’s httpd.conf search for:
#LoadModule headers_module /path/to/modules/mod_headers.so
then remove the comment, and restart Apache. This should be enough.
Hi @zinoui. I’ll go ahead and mark this closed. I can’t find httpd.conf only apache2.conf and that line doesn’t seem to be there. Moreover, the file in .htaccess says mod_headers.c not mod_headers.so and I’m not an expert in these things so I’m not sure if theyre the same. I will just use php for now I guess. Thanks again.
