I’m trying to adjust the security headers. The server is Apache. the site is based on wordpress. I’ve already modified this file ten times, I’ve uploaded it to the server ten times and I still haven’t figured out what I’m doing wrong.
Could someone help me and save my day please?
Below is the complete .htacess file.
I’m also using Litespeed Cache on the website, I’ve already cleaned the cache twenty times and nothing happens.
When I scan the website on https://securityheaders.com/, the Security Report Summary that is generated is always D.
Full content: .htacess
PS: I repeated the headers’s line in the .htaccess file to be true that I’m not doing something wrong, but it seems that there is still something wrong. Any help or any questions please?
# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule .litespeed_conf.dat - [F,L]
### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###
### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera Mini|Opera Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###
### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts).php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###
### marker FAVICON start ###
RewriteRule favicon.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###
### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###
### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###
</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600
ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600
ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600
ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600
ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600
</IfModule>
### marker BROWSER CACHE end ###
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE
# SECURITY HEADERS - INSERTION 13:13 26.03.2024
## 01° BEGIN
## 02° BEGIN
<IfModule mod_headers.c>
Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
</IfModule>
## 03° BEGIN
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
</IfModule>
## 04° BEGIN
<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
## 05° BEGIN
<IfModule mod_headers.c>
Header always set Expert-CT "max-age=777600, enforce"
</IfModule>
## 06° BEGIN
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
## 07° BEGIN
<IfModule mod_headers.c>
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
## 08° BEGIN
<IfModule mod_headers.c>
Header always set X-Frame-Options: "SAMEORIGIN"
</IfModule>
## 09° BEGIN
<IfModule mod_headers.c>
Header always set Permissions-Policy: "no-referrer-when-downgrade"
</IfModule>
# END SECURITY HEADERS
# SECURITY H INSERTION 13:13 26.03.2024
Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expert-CT "max-age=777600, enforce"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set Permissions-Policy: "no-referrer-when-downgrade"
# END SECURITY H
# START IONOS Performance Directory Index
# IONOS Directory Index v1
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
# END IONOS Performance Directory Index
# START IONOS Performance Cache Expiration
# IONOS Cache Expiration v1
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css A2419200
ExpiresByType text/x-component A2419200
ExpiresByType application/x-javascript A2419200
ExpiresByType application/javascript A2419200
ExpiresByType text/javascript A2419200
ExpiresByType text/x-js A2419200
ExpiresByType text/html A3600
ExpiresByType text/richtext A3600
ExpiresByType image/svg+xml A3600
ExpiresByType text/plain A3600
ExpiresByType text/xsd A3600
ExpiresByType text/xsl A3600
ExpiresByType text/xml A3600
ExpiresByType video/asf A2419200
ExpiresByType video/avi A2419200
ExpiresByType image/bmp A2419200
ExpiresByType application/java A2419200
ExpiresByType video/divx A2419200
ExpiresByType application/msword A2419200
ExpiresByType application/vnd.ms-fontobject A2419200
ExpiresByType application/x-msdownload A2419200
ExpiresByType image/gif A2419200
ExpiresByType application/x-gzip A2419200
ExpiresByType image/x-icon A2419200
ExpiresByType image/jpeg A2419200
ExpiresByType application/json A2419200
ExpiresByType application/vnd.ms-access A2419200
ExpiresByType audio/midi A2419200
ExpiresByType video/quicktime A2419200
ExpiresByType audio/mpeg A2419200
ExpiresByType video/mp4 A2419200
ExpiresByType video/mpeg A2419200
ExpiresByType application/vnd.ms-project A2419200
ExpiresByType application/x-font-otf A2419200
ExpiresByType application/vnd.ms-opentype A2419200
ExpiresByType application/vnd.oasis.opendocument.database A2419200
ExpiresByType application/vnd.oasis.opendocument.chart A2419200
ExpiresByType application/vnd.oasis.opendocument.formula A2419200
ExpiresByType application/vnd.oasis.opendocument.graphics A2419200
ExpiresByType application/vnd.oasis.opendocument.presentation A2419200
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2419200
ExpiresByType application/vnd.oasis.opendocument.text A2419200
ExpiresByType audio/ogg A2419200
ExpiresByType application/pdf A2419200
ExpiresByType image/png A2419200
ExpiresByType application/vnd.ms-powerpoint A2419200
ExpiresByType audio/x-realaudio A2419200
ExpiresByType image/svg+xml A2419200
ExpiresByType application/x-shockwave-flash A2419200
ExpiresByType application/x-tar A2419200
ExpiresByType image/tiff A2419200
ExpiresByType application/x-font-ttf A2419200
ExpiresByType application/vnd.ms-opentype A2419200
ExpiresByType audio/wav A2419200
ExpiresByType audio/wma A2419200
ExpiresByType application/vnd.ms-write A2419200
ExpiresByType application/font-woff A2419200
ExpiresByType application/vnd.ms-excel A2419200
ExpiresByType application/zip A2419200
</IfModule>
# END IONOS Performance Cache Expiration
# START IONOS Performance Deflate
# IONOS Deflate v1
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/cache-manifest
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/vcard
AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc
AddOutputFilterByType DEFLATE text/vtt
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE text/x-cross-domain-policy
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/activity+json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/ld+json
AddOutputFilterByType DEFLATE application/atom+xml
AddOutputFilterByType DEFLATE application/manifest+json
AddOutputFilterByType DEFLATE application/rdf+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/schema+json
AddOutputFilterByType DEFLATE application/vnd.geo+json
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE font/eot
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE image/bmp
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
AddOutputFilterByType DEFLATE image/x-icon
</IfModule>
# END IONOS Performance Deflate
# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen „BEGIN WordPress“ und „END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter geändert werden.
# Alle Änderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
2
Answers
I had the same problem on a WordPress site. Seems like the .htaccess file is sometimes ignored due to some server settings. I added security headers with the "Redirection" plugin. The "Site" tab lets you set them. But beware that caching plugins may interfere with the headers and not show them for cached responses.
For wordpress, I use these security headers
They work fine with your testsite getting an A: