Security headers

  • Resolved atfpodcast

    (@atfpodcast)


    5 years ago

    SO I added this to the end of my .htaccess after #end wordpress
    # security headers
    Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    Header always set Content-Security-Policy “upgrade-insecure-requests”
    Header always set X-Content-Type-Options “nosniff”
    Header always set X-XSS-Protection “1; mode=block”
    Header always set Expect-CT “max-age=7776000, enforce”
    Header always set Referrer-Policy: “no-referrer-when-downgrade”
    Header always append X-Frame-Options SAMEORIGIN

    in my site healthier they notice gone away and now it is back saying:

    Your .htaccess file does not contain all recommended security headers.
I am using godaddy. On other sites, the message is gone.

Please advise

    HTTP Strict Transport Security
    Content Security Policy: Upgrade Insecure Requests
    X-XSS protection
    X-Content Type Options
    Referrer-Policy
    Expect-CT
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Mark

    (@markwolters)

    5 years ago

    Hi @atfpodcast,

    could you post your .htaccess file here so we can check if the headers have been set correctly?

    Thread Starter atfpodcast

    (@atfpodcast)

    4 years, 12 months ago

    <IfModule mod_rewrite.c>
    RewriteEngine Off
    </IfModule>

    # BEGIN rlrssslReallySimpleSSL rsssl_version[4.0.15]
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    </IfModule>
    # END rlrssslReallySimpleSSL
    # BEGIN WordPress
    # The directives (lines) between “BEGIN WordPress” and “END WordPress” are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteBase /blog/
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /blog/index.php [L]
    </IfModule>
    # END WordPress

    # Security header
    Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    Header always set Content-Security-Policy “upgrade-insecure-requests”
    Header always set X-Content-Type-Options “nosniff”
    Header always set X-XSS-Protection “1; mode=block”
    Header always set Expect-CT “max-age=7776000, enforce”
    Header always set Referrer-Policy: “no-referrer-when-downgrade”
    Header always append X-Frame-Options SAMEORIGIN
    # Security header

    Plugin Author Mark

    (@markwolters)

    4 years, 12 months ago

    Hi @atfpodcast,

    it could be the Apache module mod_headers is not enabled on your webserver. This can prevent the security headers from being set. Could you check if your webserver has the mod_headers module enabled, and if not, enable it?

    Thread Starter atfpodcast

    (@atfpodcast)

    4 years, 12 months ago

    Hello. I upgraded the license to the plugin to a 1-5 site and the plugin took care of it and it works. 🙂 I was getting SSL with the free version working just the headers were not being fixed. All is good now. 🙂

    • This reply was modified 4 years, 12 months ago by atfpodcast.
Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Security headers’ is closed to new replies.