Missing security headers SSL

Hi @dirollordi,

the plugin indeed checks if security headers have been set. The notice will disappear if you add any of the following security headers to your site: https://really-simple-ssl.com/everything-you-need-to-know-about-security-headers/

Hi @markwolters ,

I added

# BEGIN Really Simple SSL
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
# END Really Simple SSL

at the top of my .htaccess file in /opt/bitnami/apps/wordpress/htdocs , but the “recommended improvement” message doesn’t go away. Also securityheaders.com shows that the headers added above aren’t active. What is the problem?

UPDATE.

I found one problem. Apache wasn’t parsing .htaccess. I solved it by modifing /opt/bitnami/apps/wordpress/conf/httpd-app.conf (AllowOverride None --> AllowOverride All). I checked on securityheaders.com and it worked.

However, the “recommended improvement” message on my site-health page was still there. I noticed that the header Content-Security-Policy was missing from https://really-simple-ssl.com/site-health-recommended-security-headers/. Thus, I added Header set Content-Security-Policy "default-src 'self';" to my .htaccess but that disabled JavaScript on my website. Do you have any tip for me at this point? Thanks!

UPDATE

I fine-tuned my policy following https://developers.google.com/web/fundamentals/security/csp#use_case_3_ssl_only . Now the site-health page loads, but doesn’t show the statistics as some resources are still blocked (e.g. use of eval() in JavaScript). Is there a way to use the header Content-Security-Policy without breaking something in WordPress?

As the content security policy can get quite complicated to enforce, I recommend to use this one:

Header always set Content-Security-Policy "upgrade-insecure-requests"

Hi, this error appears after installing the plugin. Can you help me (I want the code that I should write in the htaccess file) Thank you..
————————

Your .htaccess file does not contain all recommended security headers.

HTTP Strict Transport Security

Content Security Policy: Upgrade Insecure Requests

X-XSS protection

X-Content Type Options

Referrer-Policy

Expect-CT

? have the same problem. What is exact solutions.

Your .htaccess file does not contain all recommended security headers.
HTTP Strict Transport Security
Content Security Policy: Upgrade Insecure Requests
X-XSS protection
X-Content Type Options
Referrer-Policy
Expect-CT

https://bujuyollarda.com/

Please follow these steps:
https://really-simple-ssl.com/site-health-recommended-security-headers

wow, what a mess, waste peoples time, annoy them, so that they cave and buy the pro version. anyone know of a better program?

by the way, I found a work around, and its SIMPLE.
1 go to plugins, locate Really SIMPLE SSL
2 click deactivate, and select KEEP HTTPS (important)

your site remains with the security lock icon, and the “Not all recommended security headers are installed” on the site health will be gone. and google wont ding you anymore.

you will only see “you should remove inactive plugins”
I don’t know about you, but i’m fine with that.

@etr316 glad to hear you found a solution that works for you.

thanks Roger for this code: Header always set Content-Security-Policy “upgrade-insecure-requests”

So finally what is the real solution for this?

the solution is, you have to edit your htaccess file and add the code and save.

Ok added it to the last line but that health message is still there