HTTP response headers

That’s odd.
You can try to use a Unix terminal to check them. For instance, testing www.ads-software.com:
curl -I https://www.ads-software.com/
That returns:

HTTP/2 200 
server: nginx
date: Thu, 01 Sep 2022 07:31:39 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
strict-transport-security: max-age=360
x-olaf: ?
link: <https://www.ads-software.com/wp-json/>; rel="https://api.w.org/"
link: <https://www.ads-software.com/wp-json/wp/v2/pages/457>; rel="alternate"; type="application/json"
link: <https://w.org/>; rel=shortlink
x-frame-options: SAMEORIGIN
x-nc: HIT ord 2

If you don’t have a shell, you can use the https://www.ads-software.com/plugins/wpterm/ plugin.

Ok,
I will try. I am not familiar with shell

Hello,
Sorry for the delay.

I didn’t succeed with the Unix terminal so I used Postman.

I confirm the problem : for two different websites with the same settings, I have two different results with securityheaders.com (grade D and grade B) and with Postman no X-Frame-Options, X-Content-Type-Options and Referrer-Policy for the grade D and ok for the grade B.

Are you using a caching plugin or a CDN? If you are, flush the cache and try again.

Yes I’m using caching plugin. I cleared cache and it’s ok.

But I tested a website with the same cache plugin where I’m sure to have cleared cache 3 days ago and it’s on grade D…

And the website with the grade B has another cache plugin

I will ask the support of the cache plugin because I don’t want to clear cache everyday (I don’t see the interest with static content)

Thanks for your help