Manually adding recommended security headers problems

  • Resolved gobbetto

    (@gobbetto)


    1 year, 11 months ago

    I followed your guide to Manually adding recommended security headers on WordPress: https://really-simple-ssl.com/site-health-recommended-security-headers/ but not working

    the site crashes and tells me there is a problem with the file .htaccess

    this is my .htaccess before:

    BEGIN LSCACHE

END LSCACHE

BEGIN NON_LSCACHE

END NON_LSCACHE

This file was updated by Duplicator on 2018-03-25 07:05:17. See .htaccess.orig for the original .htaccess file.

Please note that other plugins and resources write to this file. If the time-stamp above is different

than the current time-stamp on the file system then another resource has updated this file.

Duplicator only writes to this file once during the install process while running the installer.php file.

Le direttive (linee) tra BEGIN WordPress e END WordPress sono

generate dinamicamente, e dovrebbero essere modificate solo tramite i filtri di WordPress.

Ogni modifica alle direttive tra questi marcatori verrà sovrascritta.

Really Simple SSL

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
    Header always set Content-Security-Policy "upgrade-insecure-requests"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=7776000, enforce"
    Header always set Referrer-Policy: "no-referrer-when-downgrade"

End Really Simple SSL

Begin Really Simple Security

RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Options -Indexes

End Really Simple Security

BEGIN WordPress

Le direttive (linee) tra BEGIN WordPress e END WordPress sono

generate dinamicamente, e dovrebbero essere modificate solo tramite i filtri di WordPress.

Ogni modifica alle direttive tra questi marcatori verrà sovrascritta.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

END WordPress

    Thanks in advance

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    I would try to remove all lines but one. If it still fails, your hosting company probably does not support security headers in the htaccess. They will be able to tell you more.

    Thread Starter gobbetto

    (@gobbetto)

    i will try

    thanks a lot

    Thread Starter gobbetto

    (@gobbetto)

    hi, i asked my host and he told me to do the following changes:
    create a .user.ini file with inside auto_prepend_file = "/home/mhd/www.aeki.biz/htdocs/prepend_headers.php"

    then create a file named prepend_headers.php with inside this code

    <?php
header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: DENY');
header('X-Content-Type-Options: nosniff');
header('Referrer-Policy: same-origin');
header('Content-Security-Policy: upgrade-insecure-requests');

    and they told me to leave the changes in the htaccess file as well

    after all these operations the problem persists
    how do i solve it?
    thank you

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    If following instructions from your hosting provider still results in site crashing, I would check with them. As I don’t know how your provider has configured your server, I can’t say why following their suggestions on their server results in issue, but I guess they will know what the problem is.

    But I would think that if adding the rules to the .htaccess results in issue, there is a configuration on the server that causes this. Removing those lines then seems best.

    And, I would not add the headers both in php and .htaccess, as this could result in duplicate headers. So I would ignore that part of your hoster’s advice anyway. It’s best to choose: in php or in the .htaccess. If .htaccess on your hosting environment doesn’t work, I’d go for the php approach.

    Thread Starter gobbetto

    (@gobbetto)

    After the changes made the site works
    but in the wordpress improvement checks i still get the warning to fix the security headers
    In practice, with the changes made, nothing has changed
    thank you

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    You can check here if the headers are configure correctly:

    https://scan.really-simple-ssl.com

    If that is the case, it might be that the server blocks the test, causing a false positive.

    Thread Starter gobbetto

    (@gobbetto)

    test result:

    red problem

    HTTP Strict Transport Security (HSTS)
    Not Found
    Recommended: includeSubDomains; preload; max-age=63072000

    Permissions-Policy
    Not Found
    Recommended: Do not use *. e.g. for the camera feature: camera=(‘self’), camera=() or camera=(‘yourdomain.com’)

    yellow problem

    Referrer-Policy
    Content: same-origin
    Recommended: strict-origin-when-cross-origin

    X-XSS-Protection
    Content: 1; mode=block
    Recommended: 0

    the other are ok

    thanks

    • This reply was modified 1 year, 10 months ago by gobbetto.
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Manually adding recommended security headers problems’ is closed to new replies.