Security Headers Not Enabled Warning

  • Resolved imincognito

    (@imincognito)


    3 years, 3 months ago

    Hi,

    I’m getting the following error in your plugin, even though securityheaders.com indicates that my security headers are correctly set. I’m relatively new to secure header, so perhaps I’m missing sth obvious or I’ve got minor syntax error.

    Can you shed some light as to why Simple SSL is showing this warning?

    Environment
    WP 5.8.2
    Simple SSL 5.2.0

    Simple SSL Warning
    The following recommended security headers are not enabled:
    Upgrade Insecure Requests
    Referrer-Policy
    Permissions-Policy

    htaccess Secure Headers Settings

    # BEGIN SECURITY HEADER MODS
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-Content-Type-Options "nosniff"
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
	Header set X-Permitted-Cross-Domain-Policies "none"
	Header set Content-Security-Policy "
		default-src 'self';
		font-src 'self';
		img-src 'self';
		script-src 'self';
		style-src 'self';
		upgrade-insecure-requests;
		"
	Header set Referrer-Policy "same-origin"
	Header set Feature-Policy "
		geolocation 'self 'https://sandbox.easternwind.asia;  
		gyroscope 'self';
		execution-while-not-rendered 'none'
		"
	Header set Permissions-Policy "
		geolocation = (self 'https://sandbox.easternwind.asia),  
		gyroscope (self),
		execution-while-not-rendered ()
		"
	Header set Expect-CT: max-age=86400, enforce, report-uri="https://sandbox.easternwind.asia/report"
</IfModule>
# END SECURITY HEADER MODS

    Thx!

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Mark

    (@markwolters)

    Hi @imincognito,

    the security headers are indeed set correctly on your site. The notice likely still shows because of caching. Could you try to re-save the Really Simple SSL settings? That will clear the cache and should remove the notice. Alternatively, you can press the ‘dismiss’ link or the X right next to it.

    Thread Starter imincognito

    (@imincognito)

    Hey Mark,

    Thx so much for the quick reply. Actually, I did clear the LiteSpeed cache and the notice still appeared, so I’m not sure if Simple SSL has a separate chache. Either way, dismiss works – as long as the settings are correct, that’s all that matters.

    Thx!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security Headers Not Enabled Warning’ is closed to new replies.