#Begin Really Simple Security
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
#End Really Simple Security
# Really Simple SSL
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "enforce, max-age=7776000"
Header always set Permissions-Policy: "no-referrer-when-downgrade"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options: "SAMEORIGIN"
#End Really Simple SSL
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Hi @jdelgadoesteban,
You can use a tool such as SecurityHeaders.com to check which headers you’re still missing, and add those as well.
But as the configuration of Security Headers through this plugin is part of the Pro version, please reach us at support(at)really-simple-ssl.com if you have any further questions about that.
Kind regards, Jarno
