Your website does not send all recommended security headers.

Hi @connie1193,

This header instructs the user’s browser to upgrade any insecure (HTTP) requests to secure (HTTPS) requests. It doesn’t look like the “Content-Security-Policy: upgrade-insecure-requests” header is currently being set on this website.

Just like the other headers in the article, you can add it manually. You can do this by adding the below line to the .htaccess file:

Header always set Content-Security-Policy "upgrade-insecure-requests;"

Kind regards, Jarno

Hello, thank you. I added all those headers in the end of the .htaccess file but I still see the notice in the WP Site Health.

BR, Cornelia

Hi @connie1193,

your site still seem to be missing the recommended HTTP Strict Transport Security (HSTS header). Can you verify if that header has also been set in your .htaccess file? Does the notice only show the HSTS header or does it also include other headers?

Hello @markwolters , no the notice dos not include HSTS, but all of the others. That’s why I did not include the HSTS in the .htaccess file.

This ist what I added in the file:

Really Simple SSL

Header always set X-XSS-Protection “0”
Header always set X-Content-Type-Options “nosniff”
Header always set Referrer-Policy “strict-origin-when-cross-origin”
Header always set X-Frame-Options: “SAMEORIGIN”
Header always set Permissions-Policy: “”
Header always set Content-Security-Policy “upgrade-insecure-requests;”

End Really Simple SSL

Hi @connie1193,

All of these Security Headers are correctly being returned on your site (you can view the test results here), so I expect that the Site Health notice is still cached.

The message should therefore disappear over time, but in any case; these headers have already been set correctly!

Kind regards, Jarno

Thank you!