最近为网志更新了 WordPress 5.6,检查网站健康,发现了 SSL警告:Not all recommended security headers are installed。其实只要在 .htaccess 加几句设定就可以解决。
目录
WordPress 网站健康 SSL 警告
如果你检查网站健康时,遇上了以下的警告,依本文教学做便可解决。
Not all recommended security headers are installed
Your .htaccess file does not contain all recommended security headers.
- HTTP Strict Transport Security
- Content Security Policy: Upgrade Insecure Requests
- X-XSS protection
- X-Content Type Options
- Referrer-Policy
- Expect-CT
这些 headers 的作用如下:
- HSTS (HTTP Strict Transport Security) – 在网域上设置此 header 后,浏览器将随后通过 HTTPS 向您的网站发出所有请求。
- CSP: Upgrade Insecure Requests – 指示客户端将该站点的所有不安全网址(通过HTTP提供的URL)视为已被替换为安全网址(通过HTTPS提供的URL)。这指令适用于需要重写大量不安全的旧网址的网站。
- X-XSS protection – 如果检测到跨网站指令码 cross-site scripting(XSS)攻击,将阻止页面加载。
- X-Content Type Options – 强制浏览器不要“猜测”传递了哪种数据。 如果档案类型是
.doc,则浏览器应获取一个.doc文件,而不是其他文件(如.exe应用程式)。 - Referrer-Policy – 仅在使用相同协议时设置引荐来源网址,而在降级时则不设置引荐来源网址(HTTPS-> HTTP)。
- Expect-CT (Certificate Transparency) – SSL 证书颁发机构需要单独记录颁发的证书,以防止欺诈。
修改 .htaccess
如果你能用 FTP 修改档案,就在根目录下找出 .htaccess,在 # BEGIN WordPress 上面贴上以下 Recommended security headers 的设定。
# Recommended security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
# End Recommended security headers位置如下:
# Recommended security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
# End Recommended security headers
# BEGIN WordPress
...
注:如要移除 HSTS,请把 max-age 设为 0,即 "max-age=0"。
再重新检测网站健康就好了。
