Check your security headers here https://sitecheck.sucuri.net/
At the bottom left hand corner after the scan, it will provide information to help you know what security headers you need.
Add this to the .htaccess file in the root of your directory, it will help with the following: –
HSTS – When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on.
Upgrade-Insecure-Requests – This header is an additional method to force requests to your own domain over https
X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not anything else like an executable file (.exe)
X-XSS-Protection – Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected.
Expect-CT, Certificate Transparency – A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, preventing fraud.
No Referrer When Downgrade header – Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP).
|
1 2 3 4 5 6 7 8 9 10 11 |
# Codehaven Security Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Expect-CT "max-age=7776000, enforce" Header always set Referrer-Policy: "no-referrer-when-downgrade" Header always append X-Frame-Options SAMEORIGIN # Codehaven Security |
and after applying these rules
