Securityheaders.com showing no CSP

  • Hello,

    When I check my security headers on https://securityheaders.com/, it says that my site does not have a content security policy header. Should I still add something like below to my .htaccess file to make this work?

    Header set Content-Security-Policy default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

    Or is it only not showing because it is created once the user presses the accept cookies button?

    Thank you very much for your support.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 16 through 19 (of 19 total)
  • Thread Starter rkingisl

    (@rkingisl)

    Hmmm, I don’t understand. I can see the CSP listed in the head of the source, or is it something else that’s missing? It also effectively blocks resources that don’t have their domains listed in the plugin settings, so it seems to be working for me.

    I can set up a staging site at some point, but I’m very busy and don’t have much time to to work on the website at the moment. Is there anything else you would suggest, or should I contact you again once the staging site is active?

    Thank you again,
    Ryan

    Plugin Author Johan Jonk Stenstr?m

    (@jonkastonka)

    I really don’t get it either unfortunately.

    Thread Starter rkingisl

    (@rkingisl)

    I found the following in the site’s .htaccess file. Could it be causing any problems?

    <ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: no-referrer-when-downgrade
Header always set Permissions-Policy "geolocation=(self); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"  
</ifModule>
    • This reply was modified 2 years, 2 months ago by rkingisl.
    Plugin Author Johan Jonk Stenstr?m

    (@jonkastonka)

    I actually have no idea. But you can temporarily remove them and see if it makes any difference.

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘Securityheaders.com showing no CSP’ is closed to new replies.