Security Headers

So I’m about to add some security headers to my MainWP website:

Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Referrer-Policy no-referrer-when-downgrade Header set Content-Security-Policy default-src 'none'; script-src 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; base-uri 'self'; script-src-elem 'self' 'unsafe-inline'; form-action 'self'; font-src 'self' data:;

If I add those to the .htaccess file, will it mess up any connections?

Thanks!

Those headers will not cause any issues, but they are not the best. Try the ones I added here and be careful with any CSP you set

Header always edit Set-Cookie ^(.*)$ “$1; HttpOnly; Secure”
Header set Referrer-Policy “strict-origin-when-cross-origin”
Header set X-XSS-Protection “0”
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Cross-Origin-Embedder-Policy “unsafe-none”
Header set Cross-Origin-Opener-Policy “same-origin-allow-popups”
Header set Cross-Origin-Resource-Policy “cross-origin”
Header set X-Robots-Tag “noindex, nofollow, nosnippet, noimageindex” always;

1 Like

Thank you @7thcircle !!!

I’ll keep investigating and try to get my CSP right as well.

1 Like