How to add security headers with WPFC

Hi,

what does it mean exactly? Which plugin are you using? What’s the issue after reactivating WPFC?

Have you tried to purge WPFC cache and then reloading your page (when you’re not logged in) ?

Can you see the desired security headers in browser’s developer tool (Network tab) ?

Anyway…if it still doesn’t work you can add security headers manually to your .htaccess file (obviosuly Apache mod_headers.c must be activated if it’s not yet). Then delete your cache once again and check one more time on browser’s dev tools.

Have a look to this anyway, should help
https://scotthelme.co.uk/hardening-your-http-response-headers/

Good luck!

you cannot add security header while you are using wp fastest cache.

Hi nerik73,

I tried 3-4 plugins for security headers, also adding them trough htaccess. I can see them when I turn off WP Fastest cache, or if I purge cache and setup headers, before WPFC erase them.
If I lock htaccess then WPFC cant use it sadly.

@emre Vona
there must be some way no?

@emrevona
not true at all buddy! I’m running WPFC with security headers on several websites.

@sedrs
Are you maybe set your headers rules inside WPFC dedicated section of .htaccess?

I mean in between

# BEGIN WpFastestCache
and
# END WpFastestCache

If so this is the problem!!!

You should set it AFTER (or before) that section…something like:

# BEGIN WpFastestCache
...
# END WpFastestCache

# My custom headers here below

<ifModule mod_headers.c>
Header unset X-Powered-By
Header unset Server
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

# END of my custom headers

It works well for me!!! ??

@sedrs

Can you kindly confirm if my solution worked fine for you too please?

@nerik73
I think I already tried both ways inside # BEGIN WpFastestCache and outside, but I ll give it try and I ll report soon :))

@nerik73

it dont work for me, maybe because inside xx I have:
<ifModule mod_headers.c>
FileETag None
Header unset ETag
Header set Cache-Control “max-age=0, no-cache, no-store, must-revalidate”
Header set Pragma “no-cache”
Header set Expires “Mon, 29 Oct 1923 20:30:00 GMT”
</ifModule>

PS: Now I realized I can see security headers in console, but not at domain document but on every another file from my domain here they are. That’s the reason why https://www.serpworx.com/check-security-headers/ and https://securityheaders.com/ cant find any

@sedrs, sorry but I don’t understand…what dou you mean with “domain document” ? Is it your website home url? If so, if you test “www.yourdomain.com/subpage” on securityheaders.com does it work??

The header rules you’ve posted above here are part of automatic changes by WPFC on .htaccess and they’re fine.
And they don’t interfere with any other security headers you can specify after in the same file.

If you set the security headers OUTSIDE WPFC .htaccess dedicated area, they must work!! ??

Are you sure your Apache mod_headers module is active? Can you see it if you run a phpinfo() ?

Which o.s. is running on your hosting?

Anyway…How can be possible that you see headers in console but not in a “public” http response?!?

Can you try with this tool: https://headers.cloxy.net/ and post what you get testing both home page and inner page of your website?

I’m getting curios even more…let me know, please!

@nerik73 I meant document type request in Chrome Console.

For another website I used Siteground with SG Optimizer and it works fine now, so I dont have to stress about this.
I was using for testing:
https://www.serpworx.com/check-security-headers/
and
https://securityheaders.com/

I am making websites for myself and I had to move to another one so I leaved web without HTTP headers and like I said with SG optimizer its working all good, altought I dont know how to setup CSP even with plugin ??