HTTP response headers

If I add the rules directly to the main .htaccess file then they are recognised by the scans.

I used htbridge.com to scan a site that has all headers enabled and it returned there were no headers at all. A bit odd.
Try to test yourself with the cURL command from a shell:

$ curl -I http(s)://YOUR-BLOG/index.php

The -I switch will display headers only.

Thanks for looking into this.

Try to test yourself with the cURL command from a shell:

That is outside my skill set I’m afraid. I’m happy to apply these headers through the .htaccess file for now, but wanted to let you know in case this is happening more widely than just in my case. If there is any other testing I can apply that does not involve shell access, just let me know.

I think those scanners scan all links, including static files such as images. Because NF is a PHP firewall, the image response headers will not include the security headers, and thus the scanner tells you they are missing.
You can try Firefox “Net” console (other browsers have the same feature more or less):
-Press CTRL + Shift + J to display the console.
-Select the “Net” tabs only.
-Go to your website.
-Click on the arrow beside the name of the site to display the response headers.

Ahh. That could be it then.

Oddly, the NFW security headers are showing as present in the Chrome console, but not in the Firefox console.

Your best option is the cURL shell command: you can run it from SSH, or from a plugin, or from a PHP script that you can upload to your site and access it with your browser such as this one:

<?php
header('Content-Type: text/plain');
echo {backtick}curl -I https://YOUR-BLOG/index.php{backtick};

Note: Repace the 2 “{backtick}” with the backtick characters.

I tried the php script and the security headers set in NFW are present there. It looks like you’re right: the scanners I mentioned above have a flaw in how they collect this data from the header response. Many thanks for working through this.