WordPress / Enfold and Content Security Headers

These entries in your htaccess ( for apache ) ( please google for alternative methods on different servers ) – These settings help to increase the security of your site visitors. You can inspect f.e. your site on : https://securityheaders.com

I’ve been working on the topic of finding a solution for WordPress that also passes critical tests for quite some time.
Unfortunately, it was so far that with some settings of the Content Security Policy WordPress did not work in the frontend. And for example Enfold does not show all the options in a correct manner. Some of the settings had to have an “unsave” setting set – e.g. : script-src ‘unsafe-inline’.

Now there are new ways to set the CSP to pass the test pages with an A+, and still have the frontend work unaffected.
However, I had to set another setting (referrer policy) a little lower in the security level, so that the Youtube videos created in Enfold also work correctly. With this code here I have done well so far:

# -----------------------------------------------------------------------------
#  HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2022
# -----------------------------------------------------------------------------

<IfModule mod_headers.c>
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header set X-Frame-Options "sameorigin"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options "nosniff"
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header always set Content-Security-Policy "upgrade-insecure-requests"
	Header always set Permissions-Policy "camera=(), fullscreen=(self), geolocation=(self), microphone=(), interest-cohort=()"
	Header always set Expect-CT "enforce, max-age=21600"
</IfModule>

by the way – sometimes it needs an apache server restart.
https://securityheaders.com/?q=webers-testseite.de&followRedirects=on