Title: Security headers
Last modified: June 9, 2021

---

# Security headers

 *  Resolved [atfpodcast](https://wordpress.org/support/users/atfpodcast/)
 * (@atfpodcast)
 * [5 years ago](https://wordpress.org/support/topic/security-headers-10/)
 * SO I added this to the end of my .htaccess after #end wordpress
    # security headers
   Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS Header
   always set Content-Security-Policy “upgrade-insecure-requests” Header always 
   set X-Content-Type-Options “nosniff” Header always set X-XSS-Protection “1; mode
   =block” Header always set Expect-CT “max-age=7776000, enforce” Header always 
   set Referrer-Policy: “no-referrer-when-downgrade” Header always append X-Frame-
   Options SAMEORIGIN
 * in my site healthier they notice gone away and now it is back saying:
 *     ```
       Your .htaccess file does not contain all recommended security headers.
       I am using godaddy. On other sites, the message is gone.
   
       Please advise
   
           HTTP Strict Transport Security
           Content Security Policy: Upgrade Insecure Requests
           X-XSS protection
           X-Content Type Options
           Referrer-Policy
           Expect-CT
       ```
   

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Plugin Author [Mark](https://wordpress.org/support/users/markwolters/)
 * (@markwolters)
 * [5 years ago](https://wordpress.org/support/topic/security-headers-10/#post-14539978)
 * Hi [@atfpodcast](https://wordpress.org/support/users/atfpodcast/),
 * could you post your .htaccess file here so we can check if the headers have been
   set correctly?
 *  Thread Starter [atfpodcast](https://wordpress.org/support/users/atfpodcast/)
 * (@atfpodcast)
 * [5 years ago](https://wordpress.org/support/topic/security-headers-10/#post-14540853)
 * <IfModule mod_rewrite.c>
    RewriteEngine Off </IfModule>
 * # BEGIN rlrssslReallySimpleSSL rsssl_version[4.0.15]
    <IfModule mod_rewrite.c
   > RewriteEngine on RewriteCond %{HTTPS} !=on [NC] RewriteRule ^(.*)$ [https://%](https://%){
   HTTP_HOST}/$1 [R=301,L] </IfModule> # END rlrssslReallySimpleSSL # BEGIN WordPress#
   The directives (lines) between “BEGIN WordPress” and “END WordPress” are # dynamically
   generated, and should only be modified via WordPress filters. # Any changes to
   the directives between these markers will be overwritten. <IfModule mod_rewrite.
   c> RewriteEngine On RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
   RewriteBase /blog/ RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME}!-
   f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /blog/index.php [L] </IfModule
   > # END WordPress
 * # Security header
    Header always set Strict-Transport-Security: “max-age=31536000”
   env=HTTPS Header always set Content-Security-Policy “upgrade-insecure-requests”
   Header always set X-Content-Type-Options “nosniff” Header always set X-XSS-Protection“
   1; mode=block” Header always set Expect-CT “max-age=7776000, enforce” Header 
   always set Referrer-Policy: “no-referrer-when-downgrade” Header always append
   X-Frame-Options SAMEORIGIN # Security header
 *  Plugin Author [Mark](https://wordpress.org/support/users/markwolters/)
 * (@markwolters)
 * [4 years, 12 months ago](https://wordpress.org/support/topic/security-headers-10/#post-14544375)
 * Hi [@atfpodcast](https://wordpress.org/support/users/atfpodcast/),
 * it could be the Apache module mod_headers is not enabled on your webserver. This
   can prevent the security headers from being set. Could you check if your webserver
   has the mod_headers module enabled, and if not, enable it?
 *  Thread Starter [atfpodcast](https://wordpress.org/support/users/atfpodcast/)
 * (@atfpodcast)
 * [4 years, 12 months ago](https://wordpress.org/support/topic/security-headers-10/#post-14549645)
 * Hello. I upgraded the license to the plugin to a 1-5 site and the plugin took
   care of it and it works. 🙂 I was getting SSL with the free version working just
   the headers were not being fixed. All is good now. 🙂
    -  This reply was modified 4 years, 12 months ago by [atfpodcast](https://wordpress.org/support/users/atfpodcast/).

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Security headers’ is closed to new replies.

 * ![](https://ps.w.org/really-simple-ssl/assets/icon-256x256.png?rev=2839720)
 * [Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)](https://wordpress.org/plugins/really-simple-ssl/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/really-simple-ssl/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/really-simple-ssl/)
 * [Active Topics](https://wordpress.org/support/plugin/really-simple-ssl/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/really-simple-ssl/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/really-simple-ssl/reviews/)

 * 4 replies
 * 2 participants
 * Last reply from: [atfpodcast](https://wordpress.org/support/users/atfpodcast/)
 * Last activity: [4 years, 12 months ago](https://wordpress.org/support/topic/security-headers-10/#post-14549645)
 * Status: resolved