Since it’s been 3 minutes I assume you broke your local internet? 
Is anybody alive?
2 Likes
Can you please repeat that? Something’s wrong with the connection.
3 Likes
I removed the previous header code from the htaccess and flicked the switch at Cloudflare. Everything seems to be fine. It still scores A+ at SSL labs and in a header check at https://redbot.org/ it includes the no sniff header.
Now I know it’s OK on my wife’s site I think it’s safe to test on my own.
Try also securityheaders.com, works well and will allow improvements in other areas apart from the standard SSL Labs.
Ouch, that’s just scored a D grade.
Yeah…good strategy there. 
1 Like
A+ here You can always improve, most sites will be F, you start already 2 levels above!
I presume Wordpress sites score an F minus by default.
If you’ve set it on your origin I don’t believe there is a reason/need to set it at Cloudflare per se. If you had multiple subdomains and wanted a consistent policy (or wanted an easy button) then you could use the Cloudflare UI. But I think you’re golden.
1 Like
Don’t use WordPress actually, never used it. Can’t stand the burden it puts on the server, plus not static, bad security practices and… PHP.
It’s the other stuff:
Content-Security-Policy
X-Frame-Options
X-XSS-Protection
Referrer-Policy
Feature-Policy
Yeah, some are easy, CSP is a bit more complex. Feature Policy relatively easy.
Take a look at report-uri.com!
I agree entirely, though from a business perspective I know it’s costing me work by not offering this. I know a guy in Moscow who deals with Wordpress stuff. He should be trustworthy.
2 Likes
Yes, some of the others just look like header changes I can implement easily enough. I’m using a LiteSpeed server with cloud hosting, but that shouldn’t cause any major obstacles.
Not at all, even though never actually dealt with LiteSpeed. Mostly nginx myself. Sometimes Apache.
I had Ngnix set up as a reverse proxy once on a VPS. I like this setup at Guru though. It seems to offer great performance and stability for the price.
1 Like
Just a thought, but I wonder how this effects canonical headers? Is it still a good idea to include them like here with absolute links <link rel="canonical" href="https://example.com/about/"/>
Yeah, those would be ideally put as absolute links, with https in front obviously.
Thanks, I started adding these previously to my sites, but wondered if HSTS made it redundant.