Security Headers

So I’m about to add some security headers to my MainWP website:

Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Referrer-Policy no-referrer-when-downgrade Header set Content-Security-Policy default-src 'none'; script-src 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; base-uri 'self'; script-src-elem 'self' 'unsafe-inline'; form-action 'self'; font-src 'self' data:;

If I add those to the .htaccess file, will it mess up any connections?

Thanks!

Those headers will not cause any issues, but they are not the best. Try the ones I added here and be careful with any CSP you set

Header always edit Set-Cookie ^(.*)$ “$1; HttpOnly; Secure”
Header set Referrer-Policy “strict-origin-when-cross-origin”
Header set X-XSS-Protection “0”
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Cross-Origin-Embedder-Policy “unsafe-none”
Header set Cross-Origin-Opener-Policy “same-origin-allow-popups”
Header set Cross-Origin-Resource-Policy “cross-origin”
Header set X-Robots-Tag “noindex, nofollow, nosnippet, noimageindex” always;

Thank you @7thcircle !!!

I’ll keep investigating and try to get my CSP right as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.