Title: Really Simple says it is set, but wordpress and https://securityheaders.com/ no Last modified: June 24, 2023 --- # Really Simple says it is set, but wordpress and https://securityheaders.com/ no * Resolved [danstrongin](https://wordpress.org/support/users/danstrongin/) * (@danstrongin) * [2 years, 11 months ago](https://wordpress.org/support/topic/really-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no/) * I have set the headers according to your documentation 3 times now. I keep getting told the headers are not set. Other than adding to the Preload list, everything is set to on, but when I go to SecurityHeaders.com I am told it is not, and the wordpress dashboard says I am missing Upgrade Insecure Requests, Frame Ancestors, X-XSS protection. but they are set to on on my screen. * SecurityHeaders.com has this: * Security Report Summary * F * Site:[https://www.mastermanaging.com/IP](https://www.mastermanaging.com/IP) Address: 194.1.147.15Report Time:24 Jun 2023 13:54:35 UTCHeaders:Strict-Transport-Security Content-Security-Policy X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-PolicyAdvanced:Ouch, you should work on your security posture immediately: * Missing Headers * Strict-Transport-SecurityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value “Strict-Transport- Security: max-age=31536000; includeSubDomains”.Content-Security-PolicyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.X-Frame-OptionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “X-Frame-Options: SAMEORIGIN”.X-Content-Type-OptionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content- Type-Options: nosniff”.Referrer-PolicyReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.Permissions-PolicyPermissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Freally-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 3 replies - 1 through 3 (of 3 total) * [phonyroyal](https://wordpress.org/support/users/phonyroyal/) * (@phonyroyal) * [2 years, 11 months ago](https://wordpress.org/support/topic/really-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no/#post-16845483) * [@danstrongin](https://wordpress.org/support/users/danstrongin/) a reply to your message yesterday at [_The site health tab says some things are not being sent. | WordPress.org_](https://wordpress.org/support/topic/the-site-health-tab-says-some-things-are-not-being-sent/) was deleted overnight and the thread closed. * Almost the opposite of what you report: * A security scan of[ ](https://3dworx.co.za)a site at [https://scan.really-simple-ssl.com](https://scan.really-simple-ssl.com/) does not detect many headers, despite them being set in the .htaccess file. * Similarly, the WordPress Tools -> Site Health page reports: * _Your website does not send all recommended security headers._ - _Upgrade Insecure Requests_ - _X-XSS protection_ - _X-Content Type Options_ - _Referrer-Policy_ - _X-Frame-Options_ - _Permissions-Policy_ - _HTTP Strict Transport Security_ * However, a scan using [securityheaders.com](https://securityheaders.com/) shows the headers do exist. * [Kim van Dijk](https://wordpress.org/support/users/kimvdijk/) * (@kimvdijk) * [2 years, 11 months ago](https://wordpress.org/support/topic/really-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no/#post-16846185) * Hi [@danstrongin](https://wordpress.org/support/users/danstrongin/), * The security headers not being recognised can have several causes, we are happy to look into this with you. Please email us at support @ really-simple-ssl.com as these are Premium features and wee are not allowed to follow up on this at the forum. * Kind regards, Kim * [phonyroyal](https://wordpress.org/support/users/phonyroyal/) * (@phonyroyal) * [2 years, 10 months ago](https://wordpress.org/support/topic/really-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no/#post-16898482) * Thanks Kim – I have resent the email to the address above. * Thanks Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Really Simple says it is set, but wordpress and https://securityheaders. com/ no’ is closed to new replies. * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720) * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/) * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq) * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/) * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/) * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/) * 3 replies * 3 participants * Last reply from: [phonyroyal](https://wordpress.org/support/users/phonyroyal/) * Last activity: [2 years, 10 months ago](https://wordpress.org/support/topic/really-simple-says-it-is-set-but-wordpress-and-https-securityheaders-com-no/#post-16898482) * Status: resolved