-SECURITY HEADERS-

-as of [24 AUGUST 2024]-

.

*via ‘site health’ wp plug-in*

.

.

This article will explain how to manually add the recommended security headers to your website.

For more advanced security headers or automatically add the security headers, please consider subscribing to Really Simple SSL Pro.

Security headers will add a new layer to SSL

(Secure Socket Layer).

The security headers

We will explain the below security headers, and how to add them manually.

When you need to know more, or are interested in more advanced security headers, visit this article.

HSTS –

When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on

Upgrade-Insecure-Requests – This header is an additional method to force requests to your own domain over https://.

X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe).

X-XSS-Protection – Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected.

Expect-CT, Certificate Transparency – A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework., preventing fraud.

No Referrer When Downgrade header – Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP).

.

What you will need

Before manually adding these files you will need to access your .htaccess file.

This file only available on Apache servers via FTP.

FTP Credentials

Text edit program to open .htaccess file

Some patience and no worries as everything is reversible.

Let’s get started!

Manually adding security headers

Let’s start with the basics, opening, and adding a line to the .htaccess file.

Open your FTP client and visit the root of your website. The root is where wp-admin, wp-content maps are located, including the .htaccess

If you can’t find the .htaccess, make sure you can view all hidden files. For most FTP clients go to “View” and select “Show hidden files” or similar.

Download and open the file in a text editor to see a file resembling the below image. Sometimes you can’t save a file starting with a dot. Save the file without the dot and continue.

Adding a line
We recommend adding a line between comments. In this case we will always add a security header per line, between the same comments. For example

Really Simple SSL

// This will be a security header..

End Really Simple SSL

Or as an example:

Adding HSTS
Add the following line between the comments as show above. We will end with an example to compare with. We will also repeat the comments, please don’t repeat comments in the file.

Really Simple SSL

Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS

End Really Simple SSL

To remove HSTS. Keep the line, but set max-age to zero. Or “max-age=0”
Adding Upgrade-Insecure-Requests

Really Simple SSL

Header always set Content-Security-Policy “upgrade-insecure-requests”

End Really Simple SSL

Adding X-XSS-Protection

Really Simple SSL

Header always set X-Content-Type-Options “nosniff”

End Really Simple SSL

Adding X-Content-Type-Options

Really Simple SSL

Header always set X-XSS-Protection “1; mode=block”

End Really Simple SSL

Adding Expect-CT, Certificate Transparency

Really Simple SSL

Header always set Expect-CT “max-age=7776000, enforce”

End Really Simple SSL

Adding No Referrer When Downgrade header

Really Simple SSL

Header always set Referrer-Policy: “no-referrer-when-downgrade”

End Really Simple SSL

.htaccess example
In the below image you will find the example of all security combined, between the two comments.

Uploading and Troubleshooting
Before uploading, make sure you have a back-up of your current .htaccess file. As an example:

Upload the new file with filename 1htaccess

Change the current .htaccess to htaccessback-up

Change 1htaccess to .htaccess to activate your new file.

really-simple-ssl.com /site-health-recommended-security-headers/

Manually adding recommended security headers – Really Simple SSL

Aert Hulsebos4-6 minutes

11/26/2020

.

.

*👨‍🔬🕵️‍♀️🙇‍♀️*SKETCHES*🙇‍♂️👩‍🔬🕵️‍♂️*

.

.

👈👈👈 ☜ *-[TROUBLE—SHOOTING ARCHIVES-*

.

*-SITE HEALTH-* ☞ 👉👉👉

.

.

💕💝💖💓🖤💙🖤💙🖤💙🖤❤️💚💛🧡❣️💞💔💘❣️🧡💛💚❤️🖤💜🖤💙🖤💙🖤💗💖💝💘

.

.

*🌈✨ *TABLE OF CONTENTS* ✨🌷*

.

.

🔥🔥🔥🔥🔥🔥*we won the war* 🔥🔥🔥🔥🔥🔥