Title: recommended security headers missing?
Last modified: December 28, 2021

---

# recommended security headers missing?

 *  Resolved [birgitspeulman](https://wordpress.org/support/users/birgitspeulman/)
 * (@birgitspeulman)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/recommended-security-headers-missing/)
 * Since about a week I get this message:
 * Uw site verstuurt niet alle aanbevolen beveiliging headers.
 * Upgrade Insecure Requests
    X-XSS protection X-Content Type Options Referrer-Policy
   Expect-CT X-Frame-Options Permissions-Policy HTTP Strict Transport Security
 * When I open .htaccess, all heders are there:
 *     ```
       # Really Simple SSL
       Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
       Header always set Content-Security-Policy "upgrade-insecure-requests"
       Header always set X-Content-Type-Options "nosniff"
       Header always set X-XSS-Protection "1; mode=block"
       Header always set Expect-CT "max-age=7776000, enforce"
       Header always set Referrer-Policy: "no-referrer-when-downgrade"
       # End Really Simple SSL
   
       And Redirect checker returns:
   
       >>> https://www.kunstlokaalno8.nl
       > --------------------------------------------
       > 200 OK
       > --------------------------------------------
       Status:
       200 OK
       Code:
       200
       Date:
       Mon, 27 Dec 2021 11:05:25 GMT
       Content-Type:
       text/html; charset=UTF-8
       Connection:
       close
       Server:
       Apache
       Strict-Transport-Security:
       max-age=31536000
       Content-Security-Policy:
       upgrade-insecure-requests
       X-Content-Type-Options:
       nosniff
       X-XSS-Protection:
       1; mode=block
       Expect-CT:
       max-age=7776000, enforce
       Referrer-Policy:
       no-referrer-when-downgrade
       X-Pingback:
       https://www.kunstlokaalno8.nl/xmlrpc.php
       Link:
       <https://www.kunstlokaalno8.nl/>; rel=shortlink
       X-Dynamic-Cache:
       1
       Cache-Control:
       max-age=600
       X-Varnish-Host:
       ip-172-16-1-103
       X-Varnish:
       6932960
       Age:
       0
       Via:
       1.1 varnish (Varnish/5.0)
       Accept-Ranges:
       bytes
       ```
   
 * So, all seems OK.
 * I refreshed the settings in Really Simple SSL, but nothing changed and the warning
   is still there.
 * What can I do?
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frecommended-security-headers-missing%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Author [Mark](https://wordpress.org/support/users/markwolters/)
 * (@markwolters)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/recommended-security-headers-missing/#post-15201221)
 * Hi [@birgitspeulman](https://wordpress.org/support/users/birgitspeulman/),
 * the security headers are returned on your site, so I expect the notice is still
   cached. Since everything seems to be working correctly I’d recommend to dismiss
   the notice by pressing the X next to it.
 *  Thread Starter [birgitspeulman](https://wordpress.org/support/users/birgitspeulman/)
 * (@birgitspeulman)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/recommended-security-headers-missing/#post-15202135)
 * Ok, thanks!
 *  [cleandiamond](https://wordpress.org/support/users/cleandiamond/)
 * (@cleandiamond)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/recommended-security-headers-missing/#post-15206204)
 * The Site shows the following. How can I finish the SSL upgrade?
 *     ```
       The following recommended security headers are not detected:
       Upgrade Insecure Requests
       X-XSS protection
       X-Content Type Options
       Referrer-Policy
       Expect-CT
       X-Frame-Options
       Permissions-Policy
       HTTP Strict Transport Security
       ```
   

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘recommended security headers missing?’ is closed to new replies.

 * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720)
 * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/)
 * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/)

## Tags

 * [headers](https://wordpress.org/support/topic-tag/headers/)
 * [missing](https://wordpress.org/support/topic-tag/missing/)
 * [warning](https://wordpress.org/support/topic-tag/warning/)

 * 3 replies
 * 3 participants
 * Last reply from: [cleandiamond](https://wordpress.org/support/users/cleandiamond/)
 * Last activity: [4 years, 5 months ago](https://wordpress.org/support/topic/recommended-security-headers-missing/#post-15206204)
 * Status: resolved