Site Health

  • Resolved presson2022

    (@presson2022)


    2 years, 1 month ago

    WordPress has told me via Site Health that my website does not send all recommended security headers.

    • Upgrade Insecure Requests
    • X-XSS protection
    • X-Content Type Options
    • Referrer-Policy
    • X-Frame-Options
    • Permissions-Policy
    • HTTP Strict Transport Security

    I added this to my .htaccess and it does nothing different.

    Header always set X-XSS-Protection “0”
    Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    Header always set X-Content-Type-Options “nosniff”
    Header always set Referrer-Policy “strict-origin-when-cross-origin”
    Header always set X-Frame-Options: “SAMEORIGIN”
    Header always set Permissions-Policy: “”

    Please advise.

    Thank you

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support jarnovos

    (@jarnovos)

    Hi @presson2022,

    The message appears when the plugin did not detect these Security Headers on your website yet. If you post your website URL here, we can check if they are correctly being set at the moment.

    If they are correctly set but the message still appears; it is likely because the notice is “cached”.

    Kind regards, Jarno

    Thread Starter presson2022

    (@presson2022)

    I don’t see a way to send the URL privately.

    Plugin Support jarnovos

    (@jarnovos)

    Hi @presson2022,

    You can also test these headers yourself by entering your URL in this Security Header test tool: https://scan.really-simple-ssl.com/

    That will tell you which ones are still missing.

    Kind regards, Jarno

    Thread Starter presson2022

    (@presson2022)

    I have added this below to the bottom of my .htaccess file and deleted my cache. I ran that URL and it still says it can’t find those entries.

    Really Simple SSL

    Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    Header always set X-XSS-Protection “0”
    Header always set X-Content-Type-Options “nosniff”
    Header always set Referrer-Policy “strict-origin-when-cross-origin”
    Header always set X-Frame-Options: “SAMEORIGIN”
    Header always set Permissions-Policy: “”

    End Really Simple SSL

    What am I missing?

    Plugin Support jarnovos

    (@jarnovos)

    Hi @presson2022,

    If the Security Header test doesn’t show that the headers are sent, while you do have them added to your .htaccess file: there is possibly a server configuration that prevents them from being set.

    I would recommend checking with your Hosting Provider if that might be the case, and how you should add the headers instead. For example, it could be that the Apache module mod_headers.c is not enabled.

    Kind regards, Jarno

    Thread Starter presson2022

    (@presson2022)

    That was the first thing I checked. It’s enabled. I’m my own server.

    You’re plugin is recommending that this be done and I’ve done it and it doesn’t do anything. I would hope that you can help people get this working.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @presson2022 in that case your hosting provider does not support security headers in the htaccess file. You can check with them to confirm.

    Thread Starter presson2022

    (@presson2022)

    I have my own dedicated servers through GoDaddy.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @presson2022 I can’t say why the http headers are not sent by your server. The .htaccess code looks fine. Most likely there is something in the server configuration that needs to be adjusted, or possibly they override the headers on their end. If it’s a Godaddy server, they should be able to tell you more about it.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Site Health’ is closed to new replies.

Tags