A+ “Your website does not send all recommended security headers.”

Hi @alquimia,

Could be caching; is it the same here? https://scan.really-simple-ssl.com/

Could you post your URL, so we can have a look?

regards Aert

Hola @aahulsebos

Thank you for your fast response!

Different results in your link scan.

This are my Headers Security URL in .htaccess:

Do you suggest any change or put some additional line in my .htaccess ?

# Headers Security Advanced & HSTS WP - 5.0.06
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "null"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://dcmlittler.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
# END Headers Security Advanced & HSTS WP

• This reply was modified 2 years, 5 months ago by José.
• This reply was modified 2 years, 5 months ago by José.
• This reply was modified 2 years, 5 months ago by José.

Hello @alquimia,

It looks like the plugin that you use to insert these headers, did not insert a Content-Security-Policy header with the value "upgrade-insecure-requests", which is the reason why the notice about it appears in your Site Health panel.

Additionally inserting the below line in the .htaccess file should address this:

Header always set Content-Security-Policy "upgrade-insecure-requests"

Hope it helps!
Kind regards,
Jarno

Hola @jarnovos

I updated this line as you suggested, but I got the same message!

Header always set Content-Security-Policy "upgrade-insecure-requests"

Thank you

Hello @alquimia,

I tested your site with the Security Headers tool, but I don’t see this header appearing in the test yet.

Perhaps the plugin that you’re using to add those headers is also editing the .htaccess file, and the lines that you are manually adding might be getting removed as a result?

Kind regards,
Jarno

Hola @jarnovos

Do you know the difference and it’s safe update this code?

Header always set Content-Security-Policy "report-uri https://mydomain.com"
to this
Header always set Content-Security-Policy "upgrade-insecure-requests"

Thank you

Hi @alquimia,

As you are using another plugin to add these headers, and that plugin inserts the ‘report-uri’ value instead of ‘upgrade-insecure-requests’, I would recommend asking their support team for guidance on changing this configuration.

Really Simple SSL just detects that the ‘upgrade-insecure-requests’ value isn’t present, and displays the notice about it.

Kind regards,
Jarno

Okay, Thank You @jarnovos

I will ask them or to google!