Plugin Author
Mark
(@markwolters)
Hi @reedie19,
the security headers aren’t required, but a nice to have. Could you paste the code that caused the issue in this thread so we can have a look at what the issue might be? Also see https://really-simple-ssl.com/site-health-recommended-security-headers/
Hi Mark
Thanks for the reply.
The code I used was from the link you recommended. My default code is:
# Added by provider
Options +Indexes
The code I added (from the link) was:
# Really Simple SSL
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set Content-Security-Policy “upgrade-insecure-requests”
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
# End Really Simple SSL
I included the ‘Content-Security-Policy’ code as although not included in the composite at the bottom of the link it was listed in the individual examples above. I have tried both pasting in (from Notepad++) then when that created the error, I typed it in via the Cpanel editor (in case there were any encoding issues). Both had the same results.
Can you re-type all quotes? It is possible that your quotes are not actual “quotes”, but converted. In that case it can throw an error. Please note the difference between ” and "
Hi Rogier,
I entered the code in two ways, firstly by pasting from Notepad++ encoded as utf8 and then after the site crash recovery, by typing directly into the cpanel text editor. As a result I believed them to be the correct form of quote marks. It looks like pasting them into the message box changed their appearance, although pasting the code again into the message box below, the quote marks are vertical (before clicking submit). Now having clicked submit the published version shows the quotes inclined, though now I’m editing they are vertical again. So I think they are OK but would welcome advice if the text editors I’ve used are inadequate.
# Really Simple SSL
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set Content-Security-Policy “upgrade-insecure-requests”
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
# End Really Simple SSL
-
This reply was modified 5 years, 4 months ago by
reedie19.
Plugin Author
Mark
(@markwolters)
Hi @reedie19,
these issues can occur when copying and pasting the code. As long as you make sure the code uses the ” qoutes it should be all good.
Thanks for your patience Mark.
I’ve retyped the code, using the CPanel text editor. I confirm that the encoding was UTF8 and the quote marks were vertical. I entered and tested the code lines one at a time, with hard refresh and cache bypass. No site crash this time (I’ve no idea what the difference is this time as I used the CPanel editor previously) and no suspicious behaviour with any of the code lines. However even though the site is working fine, I still get the same Site Health Status report ‘Not all recommended security headers are installed’ and then lists all six that the code should have installed.
My assumption is that the subsequent instruction:
# Added by provider
Options +Indexes
must over-ride the new code lines?
I think it’s time to draw comfort from your opening observation, ‘the security headers aren’t required, but a nice to have’ and live with it (unless you have any suggestions?)
Plugin Author
Mark
(@markwolters)
Can you verify if all the recommend security headers have been set in your .htaccess file? If so, could you paste the security headers section from your .htaccess file as it is now here so we can have a look?
Hi Mark
I did have all the code in the .htaccess, but my site had a fault yesterday, purely coincidentally, due to a conflict with a plugin update. Before diagnosing the cause I deleted that code from the .htaccess in case that contributed (it didn’t).
I can however confirm that the code I had was the code I pasted above so it read, including the original code:
# Really Simple SSL
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set Content-Security-Policy “upgrade-insecure-requests”
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
# End Really Simple SSL
# Added by provider
Options +Indexes
Plugin Author
Mark
(@markwolters)
There still seems to be an issue with that code using “ instead of ” qoutes, that can cause the issue. Besides that, the code looks correct.
Hi Mark
Thanks for your patience. I have now resolved it, with apologies. I read an article on .htaccess and discovered to my surprise that there can be several of them on a site. I rechecked your article, pointing me to the public root. Since unsuccessfully looking there I switched on ‘hidden files’ and then found and edited a version of .htaccess in the site root (believing that to be the only one at the time). Now having actually followed your advice and found the public root version of .htaccess, the code worked exactly as you advise.
Unfortunately another case of ‘RTFI’
Regards
