Can't add security headers

Hi everyone,

It says on my Wordpress dashboard that my SSL protection is 71% and that I still need to work on several things to get my security boosted. I have tried to fix some of them (like verifying ownership on Google Analytics and Google Search Console) but it still stays on 71%. Does anyone know how I can fix this? Also, I have to add some security headers apparently, which is what I have been trying to do for the past couple of hours. I have had many attempts at adding the headers in my .htaccess file in different variations but to no avail. Then I opted for the easiest solution which is to install and configure the Redirection plugin, but that didn’t work either. I checked on securityheaders.com many times after clearing browser cache and the Litespeed Cache of my server but according to securityheaders.com there were still no headers on my website. I know there’s a toggle option in my cPanel dashboard (I use Cloudflare) to enable HSTS but I also want to add the other security headers. Is there anyone that knows what I could be doing wrong and how I can add the security headers successfully?

Thank you

It’s super easy with Transform Rules:

2 Likes

Hi, thank you for your prompt comment. I am trying to insert the exact values as the ones you wrote in your picture. Could you send me the value that you put for content security policy please? I can’t read what is past 'unsafe.

Thank you!

CSP is unique per website. Here are some docs to get you started:

Hi, I am not very savvy with this but I just used this: upgrade-insecure-requests. I found it on some website where someone was recommending it. After I deployed the rules I checked again with securityheaders and the headers had been added successfully. Thank you!

1 Like

Although, in my Wordpress dashboard (in the SSL section) it still says my website is secured for 71%. It doesn’t seem to get up.

I don’t have any type of SSL section in my WordPress dashboard. I always have SSL fully configured at the server and don’t use any SSL plugins.

It is not a plugin, I’ve got free SSL from my hosting provider and from Cloudflare, it is Cloudflare’s SSL that I activated. But I can see it in my Wordpress dashboard for some reason.

Can you please post a screenshot of that?

Hi,

Yes of course.
I attached it as an attachment to this message.

Really Simple SSL is a plugin.

It’s quite possible it’s testing a local connection and not through the Cloudflare Proxy. securityheaders.com should be able to confirm if these headers are there or not.

Hi,

Oh, my apologies. I didn’t know it was a plugin. According to securityheaders the headers are there on my website so perhaps the plugin isn’t registering it. Thank you for your help!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.