Not all recommended security headers are installed

  • Resolved katrinz01

    (@katrinz01)


    3 months, 1 week ago

    Hi together!

    On a customer’s website, I found the following issue in Tools – Health Check:
    Not all recommended security headers are installed

    First, I compared all settings on my own website and my customer’s one, which are the same. After a recommendation, I checked the customer’s website AND my own one, using this tool:
    https://securityheaders.com/

    That tool shows that all my websites are missing these headers. ??
    However, I wonder about two things:

    1.) I have installed and carefully setup All in One WP Security on all my websites. As the security headers are an important thing, I’d expect that the plugin sets them.

    2.) Although the check with https://securityheaders.com/ shows the issue on my own website, too, it is not shown in Site Health. So, I am now even more lost about this…

    I could not find too many answers out there which would help me. They are reaching from “Install this and that plugin for the headers” to “Go to htaccess and enter the headers yourself”. To be honest, I don’t want to follow these advices, because …
    a) If I install another security plugin, there might be incompatibility issues.
    b) If I copy some code I don’t really understand to htaccess, I’ll probably mess up my whole website. Please excuse me from being no backend-expert. I can do a lot, but when it comes to such details, I am sometimes lost.

    So, if you are more experienced on that than I am, I’d appreciate your help with several kinds of info, for example:

    1.) Should All in One WP Security cover that security-header-topic at all, or is this excluded and I really need another plugin? I mean, hey… it’s called All in One… ??
    2.) If All in One WP Security should take care: Where could I have made a mistake to cause that issue?
    3.) Else if another plugin is needed – do you have a recommendation for a plugin which is for sure compatible with All in One WP Security?
    4.) How else could I solve this issue (without messing up my htaccess) ??
    5.) Does anyone have an idea why the issue is shown in the Site Health on one website, but not on the others?

    Thank you in advance for your valuable hints!
    As so often, I wonder why it seems that I am the only one with that problem… ??

    Katrin

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @katrinz01,

    1. All in One WP Security? do not include security header feature. It is feature request still under review.
    2. No AIOS do not have that.
    3. If you want I can review other plugins and suggest.
    4. Tools > Custom .htaccess rules you may use in AIOS to add .htaccess rules regarding security headers.
    5. Need to check in more detail. I do not see this issue in my live sites AIOS installed also.

    Regards

    Thread Starter katrinz01

    (@katrinz01)

    Hi Hjogi… ??!

    Thank you for your quick reply! ??

    Your answer 1 is a valuable hint for me – now I know for sure that I have to take care myself – somehow. Thank you for letting me know.

    And – meanwhile I could answer my question number 5 myself: On some clients’ websites, I have installed ‘Really Simple SSL’. Because for any reason, these websites had troubles with mixed content after migration. And that’s the answer: That plugin shows the error message about security headers.

    Unfortunately, it just shows the message, but only the pro-version provides the according feature. So, it’s good to know that this feature is also planned for AIOS. Thanks for that info, too!

    If you can suggest other plugins which are compatible and do the same, it would be helpful. But I don’t want to cause so much effort for you. Just if you think that others might have the same question and would appreciate the answer, too.

    Have a great day!
    Katrin

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @katrinz01

    If I cross-check I can find the below plugins you should check more details and choose one compatible to your PHP / WP version and as per the error it shows / solves on https://securityheaders.com/


    Headers Security Advanced & HSTS WP

    HTTP Headers

    Regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.