savvylearner
Forum Replies Created
-
UPDATE
I fine-tuned my policy following https://developers.google.com/web/fundamentals/security/csp#use_case_3_ssl_only . Now the site-health page loads, but doesn’t show the statistics as some resources are still blocked (e.g. use of
eval()in JavaScript). Is there a way to use the headerContent-Security-Policywithout breaking something in WordPress?UPDATE.
I found one problem. Apache wasn’t parsing
.htaccess. I solved it by modifing/opt/bitnami/apps/wordpress/conf/httpd-app.conf(AllowOverride None --> AllowOverride All). I checked onsecurityheaders.comand it worked.However, the “recommended improvement” message on my site-health page was still there. I noticed that the header
Content-Security-Policywas missing from https://really-simple-ssl.com/site-health-recommended-security-headers/. Thus, I addedHeader set Content-Security-Policy "default-src 'self';"to my.htaccessbut that disabled JavaScript on my website. Do you have any tip for me at this point? Thanks!Hi @markwolters ,
I added
# BEGIN Really Simple SSL Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Expect-CT "max-age=7776000, enforce" Header always set Referrer-Policy: "no-referrer-when-downgrade" # END Really Simple SSLat the top of my .htaccess file in /opt/bitnami/apps/wordpress/htdocs , but the “recommended improvement” message doesn’t go away. Also
securityheaders.comshows that the headers added above aren’t active. What is the problem?