Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • August 2, 2022 at 9:18 am #1360260
    laptophobo

    Within my WP dashboard, under Site Health Status, it flags the following issues “not all recommended security headers are installed” which lists:

    Your website does not send all recommended security headers.
    Upgrade Insecure Requests
    X-XSS protection
    X-Content Type Options
    Referrer-Policy
    X-Frame-Options
    Permissions-Policy
    HTTP Strict Transport Security
    Learn more about security headers

    So, is this something to do with Enfold header (which I have copied into enfold-child)?

    Thanks.

    August 3, 2022 at 5:40 am #1360407
    Nikko

    Hi laptophobo,

    Can you try to switch it to a default WordPress Theme? and see if the issue still persists.
    If it still shows after switching then it may be more of a server configuration issue.

    Best regards,
    Nikko

    August 6, 2022 at 12:49 pm #1360906
    laptophobo

    Hi Nikko,

    I switched out the theme to WP 2022 and the issue persists. I then activated debug and saw no errors.

    August 7, 2022 at 10:20 pm #1361020
    Mike

    Hi,
    Thanks for your question, since this is still occurring with the default 2022 theme I would say that you will need to manually add the security headers to your htaccess file. Here is a thread on WordPress for your same issue.

    Best regards,
    Mike

    August 8, 2022 at 5:49 am #1361048
    laptophobo

    Hi Mike,

    The security header issue does appear to be a result of using the Really Simple SSL plugin that is used on all my websites. When I look over the “manually add the security headers” page you offered, it says to manually add a bunch code within the .htaccess file. However, the “thread on WordPress” page you also offered up says “Perhaps you should ignore that list of recommendations and instead do some research to determine which headers are best for your site.” So, I’m wondering if I should simply ignore the so-called header security issue.

    August 8, 2022 at 1:01 pm #1361104
    Mike

    Hi,
    Thanks for the feedback, I tested Really Simple SSL on my demo site which already had SSL from Let’s Encrypt on my server, and which I had no security header warnings in the Site Health Status, when I activated Really Simple SSL I received these warnings:
    Your website does not send all recommended security headers.
    Upgrade Insecure Requests
    X-XSS protection
    Referrer-Policy
    Permissions-Policy
    So while I have recommended Really Simple SSL for sites that were having SSL issues, I assume that there can be a warning in the Site Health Status for some reason. I have disabled this on my site and it’s back to having no warnings.

    Best regards,
    Mike

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.