Recently upgraded to WordPress 5.6, and I found that there is an SSL error in Site Health: Not all recommended security headers are installed. It can be resolved by adding a few lines to .htaccess.
Contents
SSL Error in Site Health of WordPress
If you found the below error, you can follow this tutorial to resolve it.
Not all recommended security headers are installed
Your .htaccess file does not contain all recommended security headers.
- HTTP Strict Transport Security
- Content Security Policy: Upgrade Insecure Requests
- X-XSS protection
- X-Content Type Options
- Referrer-Policy
- Expect-CT
The security headers are:
- HSTS (HTTP Strict Transport Security) – a browser will do all requests to your site over HTTPS from then on when this header is set on your domain.
- CSP: Upgrade Insecure Requests – directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
- X-XSS protection – will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected.
- X-Content Type Options – will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe).
- Referrer-Policy – only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP).
- Expect-CT (Certificate Transparency) – a Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework., preventing fraud.
Editing .htaccess
If you have FTP access, find the .htaccess under root directory and add the below Recommended security headers above # BEGIN WordPress.
# Recommended security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
# End Recommended security headersThe final .htaccess:
# Recommended security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
# End Recommended security headers
# BEGIN WordPress
...
Notes: To remove HSTS. Keep the line, but set max-age to zero. Or "max-age=0"。
Scan the Site Health again.
