Securityheaders.com showing no CSP

No, you don’t need to add that. The content security policy header is added through the plugin.

Okay, thank you. So, just out of curiosity, why would the website not detect it?

Opening the console I can see:
Content Security Policy: The page’s settings blocked the loading of a resource at https://s.w.org/images/core/emoji/14.0.0/svg/2197.svg (“img-src”).
So, I would say that the website is detecting it. Why do you think the website is not detecting it?

It’s because when I run the security headers scan, on this site or on some others I’ve tried, they all say that my headers are complete but that I don’t have content security policy headers (see screenshot).

That is defenetly strange, can you share with me what tool you used?

Yes, it’s the one I linked to in my first post:
https://securityheaders.com
But I’ve tried a few other sites and had the same results:
eg. https://www.serpworx.com/check-security-headers/

Do you have a cache plugin installed maybe? Then try reading these:

The settings does not seem to have an effect. What do I do?

I’m using a cache plugin, and it seems to be interfere with this plugin

I would try this first to see if you get a different result when scanning the site:

If you’re using static page cache that doesn’t go through php, go to Settings > Cookies and Content Security Policy > Settings and check Use meta under Advanced settings.

Hello again,

I’m not using a cache plugin. I just use Cloudflare’s standard caching, but I’ve cleared the cache and am still having the same problem. I already had “meta” selected, so I tried to deselect it but that didn’t fix it either. It’s bizarre, since it seems to be functioning correctly, it’s just that the site doesn’t detect it being there. Any other suggestions would be appreciated.

Thanks again,
Ryan

Very strange indeed. I use Cloudflare on a number of sites too, but I don’t have that issue at all.

Any luck solving this?

No, unfortunately not. I tried your suggestions above, but am still getting the same response from the SecurityHeaders website. Any more suggestions would be appreciated.

No, this is so strange.

Do you have a staging environment where we can test if other plugins are interfering with it?

Can you check debug in the settings?

How is this coming along?

Hello,

I don’t have a staging environment, unfortunately. I can try disabling some plugins to see if it makes a difference. The thing is it seems to be functioning perfectly from my end. It’s just the securityheaders site that doesn’t seem to recognize that it’s there.

I’ve enabled debug in settings.

Checking for CSP in the browser gives the same result as the securityheaders site, so something is wrong. I just can’t see that from my end.

Can’t you set up a staging environment?