Question – Security Headers & Security Tweaks

  • Resolved nevrsmer

    (@nevrsmer)


    4 years, 6 months ago

    Hello,

    When enabling the options in Advanced Tools –> Security Headers and all the options in Security Tweaks, is anything written to the .htacces file (It’s an Apache server)?

    I ask because I after enabling all the options in Security Headers and in Security Tweaks, I ran a site security scan on Succuri that listed all the following issues with security headers (note: when available, a stricter option has been chosen when configuring the options in Security Headers and in Security Tweaks):

    Sucirri Security Headers Issues
    ·Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.
    · Missing security header to prevent Content Type sniffing.
    · Missing Strict-Transport-Security security header. Affected pages:
    · Missing Content-Security-Policy directive.
    · We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

    Would you know why there is an issue with these security headers if they are enabled in Security Headers and in Security Tweaks and set to a strict option?

    Thank you and have a good day.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hello @nevrsmer

    I hope you’re doing well!

    After enabling security headers there is no code added to the .htaccess file.

    If your site is integrated with Sucuri, please many sites to purge cache on Sucuri end before running a test.

    If note, please make sure to purge all caching and check if the server cache is enabled and flush it as well.

    After this, please run a new test.

    If the issue still persist, please share here a link to your site so we could check it from our end.

    Kind regards,
    Nastia

    Thread Starter nevrsmer

    (@nevrsmer)

    Hello Nastia,

    Thank you for the quick response.

    My apologies. I should have been clearer. Our site is not integrated with Sucurri or any other similar service. We were looking for way to scan our site for security issues and found Sucurri’s free website scan tool at: https://sitecheck.sucuri.net/.

    As per your recommendations, I purged all caches – server, application, CDN, and browser. I also restarted Apache and NGINX. I then reran the test and the security warnings are still present. At this point, I don’t know what to do as we have all the options in Defender’s Security Headers and in Security Tweaks enabled and set to a strict option when available and have cleared all caches.

    So that you can check it on your end, our domain is: arenasfoto.com.

    Thank you very much for your time and have a good day.

    Cheers!

    Plugin Support Dimitris – WPMU DEV Support

    (@wpmudev-support6)

    Hello @nevrsmer

    Could you please send me an email to [email protected] using this template:

    Subject: “Attn: Dimitris

    Message: link back to this thread for reference

    Keep in mind the subject line, as it ensures that it gets assigned to me.

    Thank you,
    Dimitris

    Hello @nevrsmer

    I hope you are doing well!

    We haven’t heard back from you for a while now so we’ve marked this ticket as resolved. If you do have any followup questions or require further assistance feel free to reopen it and let us know here.

    Kind regards,
    Nastia

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Question – Security Headers & Security Tweaks’ is closed to new replies.