Security Headers

  • Resolved aatrad

    (@aatrad)


    2 years, 10 months ago

    Regarding WordPress, there is one item that needs improvement to enhance its security, as indicated by the following message:

    Recommended security headers are not all installed. Your website does not send all recommended security headers. Upgrade Insecure Requests, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, X-Frame-Options, Permissions-Policy.”

    I have the Really Simple SSL Pro version, and according to the plugin, my site has an A+ status.

    What can be done to address this security message? Do I need to enter a code in the .htaccess file? I also tried deactivating all extensions except for Really Simple SSL to check if there is any conflict between plugins, but the message still appears.

    Thank you in advance.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter aatrad

    (@aatrad)

    2 years, 10 months ago

    I have performed another scan with Really Simple SSL, and the plugin indicates that the recommended security headers are not installed. However, I have configured these headers manually using the “HTTP Headers” plugin since my last message. Despite this, Really Simple SSL and WordPress do not recognize the headers that I have set using the other plugin.

    Plugin Support Jarno Vos

    (@jarnovos)

    2 years, 10 months ago

    Hi @aatrad,

    We would be happy to help with any questions you might have about the Pro plugin and it´s features, but please know that we are solely allowed to discuss the Free plugin on these forums. If we can assist with the configuration of the Pro plugin, please send us a message via support(at)really-simple-ssl.com and we would be happy to help.

    But just as a bit of clarification in the meantime:

    If you’ve enabled all of those headers in the Really Simple SSL Pro plugin, you won’t require the use of an additional plugin that sets them as well.

    If a scan tool such as SecurityHeaders.com detects all of the headers as listed in the Site Health notice, you should be good to go; as the Site Health notice is probably still ‘cached’ and should disappear after some time has passed.

    Kind regards, Jarno

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security Headers’ is closed to new replies.