Apache - Missing Headers Security Report .htaccess

PaulodoPorto
August 21, 2024
194 views
0 votes
2 Answers

I’m trying to adjust the security headers. The server is Apache. the site is based on wordpress. I’ve already modified this file ten times, I’ve uploaded it to the server ten times and I still haven’t figured out what I’m doing wrong.

Could someone help me and save my day please?

Below is the complete .htacess file.

I’m also using Litespeed Cache on the website, I’ve already cleaned the cache twenty times and nothing happens.

When I scan the website on https://securityheaders.com/, the Security Report Summary that is generated is always D.

Full content: .htacess

PS: I repeated the headers’s line in the .htaccess file to be true that I’m not doing something wrong, but it seems that there is still something wrong. Any help or any questions please?

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule .litespeed_conf.dat - [F,L]

### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###

### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera Mini|Opera Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###

### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts).php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###

### marker FAVICON start ###
RewriteRule favicon.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600

ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600

ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600

ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600

ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600

</IfModule>
### marker BROWSER CACHE end ###

## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE

# SECURITY HEADERS - INSERTION 13:13 26.03.2024
## 01° BEGIN
## 02° BEGIN
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
</IfModule>
## 03° BEGIN
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
</IfModule>
## 04° BEGIN
<IfModule mod_headers.c>
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>
## 05° BEGIN
<IfModule mod_headers.c>
    Header always set Expert-CT "max-age=777600, enforce"
</IfModule>
## 06° BEGIN
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
</IfModule>
## 07° BEGIN
<IfModule mod_headers.c>
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
## 08° BEGIN
<IfModule mod_headers.c>
    Header always set X-Frame-Options: "SAMEORIGIN"
</IfModule>
## 09° BEGIN
<IfModule mod_headers.c>
    Header always set Permissions-Policy: "no-referrer-when-downgrade"
</IfModule>
# END SECURITY HEADERS

# SECURITY H INSERTION 13:13 26.03.2024
    Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
    Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expert-CT "max-age=777600, enforce"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Frame-Options: "SAMEORIGIN"
    Header always set Permissions-Policy: "no-referrer-when-downgrade"
# END SECURITY H

# START IONOS Performance Directory Index
# IONOS Directory Index v1
<IfModule mod_dir.c>
    DirectoryIndex index.php
</IfModule>
# END IONOS Performance Directory Index

# START IONOS Performance Cache Expiration
# IONOS Cache Expiration v1
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css A2419200
    ExpiresByType text/x-component A2419200
    ExpiresByType application/x-javascript A2419200
    ExpiresByType application/javascript A2419200
    ExpiresByType text/javascript A2419200
    ExpiresByType text/x-js A2419200
    ExpiresByType text/html A3600
    ExpiresByType text/richtext A3600
    ExpiresByType image/svg+xml A3600
    ExpiresByType text/plain A3600
    ExpiresByType text/xsd A3600
    ExpiresByType text/xsl A3600
    ExpiresByType text/xml A3600
    ExpiresByType video/asf A2419200
    ExpiresByType video/avi A2419200
    ExpiresByType image/bmp A2419200
    ExpiresByType application/java A2419200
    ExpiresByType video/divx A2419200
    ExpiresByType application/msword A2419200
    ExpiresByType application/vnd.ms-fontobject A2419200
    ExpiresByType application/x-msdownload A2419200
    ExpiresByType image/gif A2419200
    ExpiresByType application/x-gzip A2419200
    ExpiresByType image/x-icon A2419200
    ExpiresByType image/jpeg A2419200
    ExpiresByType application/json A2419200
    ExpiresByType application/vnd.ms-access A2419200
    ExpiresByType audio/midi A2419200
    ExpiresByType video/quicktime A2419200
    ExpiresByType audio/mpeg A2419200
    ExpiresByType video/mp4 A2419200
    ExpiresByType video/mpeg A2419200
    ExpiresByType application/vnd.ms-project A2419200
    ExpiresByType application/x-font-otf A2419200
    ExpiresByType application/vnd.ms-opentype A2419200
    ExpiresByType application/vnd.oasis.opendocument.database A2419200
    ExpiresByType application/vnd.oasis.opendocument.chart A2419200
    ExpiresByType application/vnd.oasis.opendocument.formula A2419200
    ExpiresByType application/vnd.oasis.opendocument.graphics A2419200
    ExpiresByType application/vnd.oasis.opendocument.presentation A2419200
    ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2419200
    ExpiresByType application/vnd.oasis.opendocument.text A2419200
    ExpiresByType audio/ogg A2419200
    ExpiresByType application/pdf A2419200
    ExpiresByType image/png A2419200
    ExpiresByType application/vnd.ms-powerpoint A2419200
    ExpiresByType audio/x-realaudio A2419200
    ExpiresByType image/svg+xml A2419200
    ExpiresByType application/x-shockwave-flash A2419200
    ExpiresByType application/x-tar A2419200
    ExpiresByType image/tiff A2419200
    ExpiresByType application/x-font-ttf A2419200
    ExpiresByType application/vnd.ms-opentype A2419200
    ExpiresByType audio/wav A2419200
    ExpiresByType audio/wma A2419200
    ExpiresByType application/vnd.ms-write A2419200
    ExpiresByType application/font-woff A2419200
    ExpiresByType application/vnd.ms-excel A2419200
    ExpiresByType application/zip A2419200
</IfModule>
# END IONOS Performance Cache Expiration

# START IONOS Performance Deflate
# IONOS Deflate v1
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/cache-manifest
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/vcard
    AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc
    AddOutputFilterByType DEFLATE text/vtt
    AddOutputFilterByType DEFLATE text/x-component
    AddOutputFilterByType DEFLATE text/x-cross-domain-policy
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/activity+json
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/ld+json
    AddOutputFilterByType DEFLATE application/atom+xml
    AddOutputFilterByType DEFLATE application/manifest+json
    AddOutputFilterByType DEFLATE application/rdf+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/schema+json
    AddOutputFilterByType DEFLATE application/vnd.geo+json
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE font/eot
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE image/bmp
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
    AddOutputFilterByType DEFLATE image/x-icon
</IfModule>
# END IONOS Performance Deflate

# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen „BEGIN WordPress“ und „END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter geändert werden.
# Alle Änderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Answers

- HalvorSakshaug
- March 27, 2024 at 8:29 am
- 0 votes
0
I had the same problem on a WordPress site. Seems like the .htaccess file is sometimes ignored due to some server settings. I added security headers with the "Redirection" plugin. The "Site" tab lets you set them. But beware that caching plugins may interfere with the headers and not show them for cached responses.

Login or Signup to reply.

For wordpress, I use these security headers

They work fine with your testsite getting an A:

<IfModule mod_headers.c>
    # Content-Security-Policy
    Header always set Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; script-src https: 'unsafe-inline'; img-src 'self' data:;"
    # X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    # X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    # Referrer-Policy
    Header always set Referrer-Policy "same-origin"
    # Permissions-Policy
    Header always set Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), camera=(), microphone=(), usb=(), fullscreen=(self)"
</IfModule>

Please signup or login to give your own answer.

Click here to cancel reply.

Apache – Missing Headers Security Report .htaccess

Answers