Title: Missing security headers SSL
Last modified: November 25, 2020

---

# Missing security headers SSL

 *  Resolved [Cali](https://wordpress.org/support/users/dirollordi/)
 * (@dirollordi)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/)
 * Hello,
 * Wordpress telling me this in the health check :
 * Missing security headers SSL
 * Your .htaccess file does not contain all recommended security headers.
 * HTTP Strict Transport Security
    Content Security Policy: Upgrade Insecure Requests
   X-XSS protection X-Content Type Options Referrer-Policy X-Frame-Options Expect-
   CT
 * Am I doing something wrong ? I think this appeared with your latest update.
 * Thank you for your help.
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fmissing-security-headers-ssl-2%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 15 replies - 1 through 15 (of 20 total)

1 [2](https://wordpress.org/support/topic/missing-security-headers-ssl-2/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/missing-security-headers-ssl-2/page/2/?output_format=md)

 *  Plugin Author [Mark](https://wordpress.org/support/users/markwolters/)
 * (@markwolters)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13707154)
 * Hi [@dirollordi](https://wordpress.org/support/users/dirollordi/),
 * the plugin indeed checks if security headers have been set. The notice will disappear
   if you add any of the following security headers to your site: [https://really-simple-ssl.com/everything-you-need-to-know-about-security-headers/](https://really-simple-ssl.com/everything-you-need-to-know-about-security-headers/)
 *  [savvylearner](https://wordpress.org/support/users/savvylearner/)
 * (@savvylearner)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13717169)
 * Hi [@markwolters](https://wordpress.org/support/users/markwolters/) ,
 * I added
 *     ```
       # BEGIN Really Simple SSL
       Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
       Header always set X-Content-Type-Options "nosniff"
       Header always set X-XSS-Protection "1; mode=block"
       Header always set Expect-CT "max-age=7776000, enforce"
       Header always set Referrer-Policy: "no-referrer-when-downgrade"
       # END Really Simple SSL
       ```
   
 * at the top of my .htaccess file in /opt/bitnami/apps/wordpress/htdocs , but the“
   recommended improvement” message doesn’t go away. Also `securityheaders.com` 
   shows that the headers added above aren’t active. What is the problem?
 *  [savvylearner](https://wordpress.org/support/users/savvylearner/)
 * (@savvylearner)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13718279)
 * UPDATE.
 * I found one problem. Apache wasn’t parsing `.htaccess`. I solved it by modifing`/
   opt/bitnami/apps/wordpress/conf/httpd-app.conf` (`AllowOverride None --> AllowOverride
   All`). I checked on `securityheaders.com` and it worked.
 * However, the “recommended improvement” message on my site-health page was still
   there. I noticed that the header `Content-Security-Policy` was missing from [https://really-simple-ssl.com/site-health-recommended-security-headers/](https://really-simple-ssl.com/site-health-recommended-security-headers/).
   Thus, I added `Header set Content-Security-Policy "default-src 'self';"` to my`.
   htaccess` but that disabled JavaScript on my website. Do you have any tip for
   me at this point? Thanks!
 *  [savvylearner](https://wordpress.org/support/users/savvylearner/)
 * (@savvylearner)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13719801)
 * UPDATE
 * I fine-tuned my policy following [https://developers.google.com/web/fundamentals/security/csp#use_case_3_ssl_only](https://developers.google.com/web/fundamentals/security/csp#use_case_3_ssl_only).
   Now the site-health page loads, but doesn’t show the statistics as some resources
   are still blocked (e.g. use of `eval()` in JavaScript). Is there a way to use
   the header `Content-Security-Policy` without breaking something in WordPress?
 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13719998)
 * As the content security policy can get quite complicated to enforce, I recommend
   to use this one:
 * `Header always set Content-Security-Policy "upgrade-insecure-requests"`
 *  [Jaber](https://wordpress.org/support/users/anafenyx/)
 * (@anafenyx)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13723379)
 * Hi, this error appears after installing the plugin. Can you help me (I want the
   code that I should write in the htaccess file) Thank you..
    ————————
 * Your .htaccess file does not contain all recommended security headers.
 * HTTP Strict Transport Security
 * Content Security Policy: Upgrade Insecure Requests
 * X-XSS protection
 * X-Content Type Options
 * Referrer-Policy
 * Expect-CT
 *  [bujuyollarda](https://wordpress.org/support/users/bujuyollarda/)
 * (@bujuyollarda)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13748789)
 * ı have the same problem. What is exact solutions.
 * Your .htaccess file does not contain all recommended security headers.
    HTTP 
   Strict Transport Security Content Security Policy: Upgrade Insecure Requests 
   X-XSS protection X-Content Type Options Referrer-Policy Expect-CT
 * [https://bujuyollarda.com/](https://bujuyollarda.com/)
 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13751148)
 * Please follow these steps:
    [https://really-simple-ssl.com/site-health-recommended-security-headers](https://really-simple-ssl.com/site-health-recommended-security-headers)
 *  [etr316](https://wordpress.org/support/users/etr316/)
 * (@etr316)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13774191)
 * wow, what a mess, waste peoples time, annoy them, so that they cave and buy the
   pro version. anyone know of a better program?
 *  [etr316](https://wordpress.org/support/users/etr316/)
 * (@etr316)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13774222)
 * by the way, I found a work around, and its SIMPLE.
    1 go to plugins, locate Really
   SIMPLE SSL 2 click deactivate, and select KEEP HTTPS (important)
 * your site remains with the security lock icon, and the “Not all recommended security
   headers are installed” on the site health will be gone. and google wont ding 
   you anymore.
 * you will only see “you should remove inactive plugins”
    I don’t know about you,
   but i’m fine with that.
 *  Plugin Contributor [Rogier Lankhorst](https://wordpress.org/support/users/rogierlankhorst/)
 * (@rogierlankhorst)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13775289)
 * [@etr316](https://wordpress.org/support/users/etr316/) glad to hear you found
   a solution that works for you.
 *  [etr316](https://wordpress.org/support/users/etr316/)
 * (@etr316)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13830458)
 * thanks Roger for this code: Header always set Content-Security-Policy “upgrade-
   insecure-requests”
 *  [flashsystem](https://wordpress.org/support/users/flashsystem/)
 * (@flashsystem)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13839909)
 * So finally what is the real solution for this?
 *  [etr316](https://wordpress.org/support/users/etr316/)
 * (@etr316)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13839986)
 * the solution is, you have to edit your htaccess file and add the code and save.
 *  [flashsystem](https://wordpress.org/support/users/flashsystem/)
 * (@flashsystem)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/#post-13841266)
 * Ok added it to the last line but that health message is still there

Viewing 15 replies - 1 through 15 (of 20 total)

1 [2](https://wordpress.org/support/topic/missing-security-headers-ssl-2/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/missing-security-headers-ssl-2/page/2/?output_format=md)

The topic ‘Missing security headers SSL’ is closed to new replies.

 * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720)
 * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/)
 * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/)

## Tags

 * [SSL](https://wordpress.org/support/topic-tag/ssl/)

 * 20 replies
 * 12 participants
 * Last reply from: [andreasra](https://wordpress.org/support/users/andreasra/)
 * Last activity: [5 years, 1 month ago](https://wordpress.org/support/topic/missing-security-headers-ssl-2/page/2/#post-14271923)
 * Status: resolved