Apanalo online casino,7 juni day.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved sushikishi
(@sushikishi)

3 years, 9 months ago
I followed the guide here: https://really-simple-ssl.com/site-health-recommended-security-headers/

But did so by editing the document through a plugin that makes backups of the .htaccess file and checks it for syntax errors (WP htaccess editor). I added what’s on the walkthrough exactly as directed and it matches what’s at the end, and the plugin said there was a syntax error. I said, eh, whatever, it makes a backup, lemme try anyway…sure enough, 500 error, had to roll back. I downloaded what the plugin put out as the htaccess file and the contents matched what I had expected, at least.

This is what I was trying to use:
```
# BEGIN rlrssslReallySimpleSSL rsssl_version[4.0.15]

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS 
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
```
I notice each of the security lines provided don’t have a : between <thing to change> and <thing to change it to>, but I don’t know enough to know if that’s accurate.

Am I in a situation where I need to do this instead — https://really-simple-ssl.com/security-headers-on-nginx/ ?

Edit: URL if it matters — https://sukidesu.live
- This topic was modified 3 years, 9 months ago by sushikishi.
- This topic was modified 3 years, 9 months ago by sushikishi.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Support

(@leonwimmenhoeve)

Please make sure that:
1. You have enabled the “Stop editing the .htaccess file” setting in Really Simple SSL
2. You only edited the Really Simple SSL part of your.htaccess.

You won’t need the instructions from the NGINX article as long as your server uses .htaccess for Security headers.

Kind regards,
Leon

Thread Starter

sushikishi

(@sushikishi)

3 years, 9 months ago

When I turned on “Stop editing the .htaccess file”, the Really Simple SSL part of the .htaccess file was removed. I turned all of the Really Simple SSL .htaccess switches off and on again.

First, I turned Enable WordPress 301 redirect on, Enable 301 .htaccess redirect on, Stop editing the .htaccess file off. My htaccess file contained this:

# BEGIN rlrssslReallySimpleSSL rsssl_version[4.0.15]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

And if I were to insert the lines on that version, I’d put it after the first #BEING rlrsslReallySimpleSSL comment line. That’s what I tried before, though, so instead I:

Turned on “stop editing the .htaccess file”, which resulted in this .htaccess content before I did anything else:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

And there isn’t a ReallySimpleRSS section to add the headers too, so I’d added them at the very top, except that still resulted in an internal server error and I had to revert my .htaccess file.

The contents of the file that didn’t work were:

# Really Simple SSL
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
# Really Simple SSL End

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Plugin Author

Mark

(@markwolters)

3 years, 9 months ago

Hi @sushikishi,

I don’t get any errors when using the following .htaccess file:

# Really Simple SSL
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
# Really Simple SSL End

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

What you could try is to use this as your .htaccess file, if this results in a 500 error you could try to remove the security header rules one by one to see which one causes the 500 error on your site.

Thread Starter

sushikishi

(@sushikishi)

3 years, 9 months ago

I tried that file and went one by one, but it just wasn’t having it. *shrug* I did find a plug-in that handled the changes for me (HTTP Headers), and explained what all of the options did. I didn’t get too fancy with it, I just added the headers that were recommended, and Site Health is happy now.

I wonder if maybe uploading it through FTP was changing the permissions/accessibility of the file itself. I decided to dive in head-first and build everything from the ground up on Ubuntu and learn as I go, so it’s entirely possible it’s some rookie goof-up like that. Either way, I’m marking it as solved — I got where I was going to in the end. Thank you!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘htaccess Missing Security Headers — Adding them broke the site’ is closed to new replies.