Issue setting up Security Headers

  • Resolved pulpita

    (@pulpita)


    10 months, 3 weeks ago

    Hey,

    I’m trying to set up Security Headers, but they don’t show up on securityheaders.com unless I deactivate WP Optimize. I tried different ways (using Headers Security Advanced & HSTS WP or Redirection Plugin ; or directly in the htaccess file).

    What are your recommendations to achieve this ?

    Thanks !!!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Damilare

    (@deabiodun)

    10 months, 3 weeks ago

    Hi!
    Did you purge your site cache after adding the headers? If not, please do so.
    Also run the preloader afterward at WPO > Cache > Preload.

    Let us know if that helps.

    Kind regards.

    Thread Starter pulpita

    (@pulpita)

    10 months, 3 weeks ago

    Thanks for your quick reply.

    Yes, I did clear the cache after adding the headers. And I just tried again, running the preloader after, but no nothing. And as soon as I deactivate WP Optimize, all the security headers are recognized.

    here are my settings :

    /

    ### WP-Optimize information ###

    Report generation time: 2025-05-23 15:34:02 (Europe/Paris)
    Cache size: 80 Mo (975 fichiers)
    Minify size: 670.85 KB (66 files)
    Logs: - smush-34040a71fc67e45eca43.log: 56 Ko
        - cache-34040a71fc67e45eca43.log: 149 Ko
        - wpo-minify-header-greenshift_core_navigation1747959407.min.css.json: 302 o
        - wpo-minify-header-pgc-simply-gallery-plugin-lightbox-style1747422138.min.css.json: 332 o
        - wpo-minify-footer-gspb_interactions1747959456.min.js.json: 354 o
        - wpo-minify-footer-gs-greenpanel1747959456.min.js.json: 344 o
        - wpo-minify-footer-gsshare1747959457.min.js.json: 340 o
        - wpo-minify-footer-akismet-frontend1747422009.min.js.json: 314 o
        - wpo-minify-header-boldblocks-youtube-block-view-script1737503682.min.js.json: 352 o
        - wpo-minify-footer-gs-toc1747959457.min.js.json: 325 o
        - wpo-minify-header-jqueryevents-manager1741599477.min.js.json: 327 o
        - wpo-minify-header-events-managerem-flatpickr-localization1741599476.min.js.json: 349 o
        - wpo-minify-footer-gs-accordion1747959456.min.js.json: 338 o
        - wpo-minify-footer-greenshift-inview-bg1747959456.min.js.json: 329 o
        - wpo-minify-footer-gsflipboxpanel1747959456.min.js.json: 327 o
        - wpo-minify-footer-gstextanimate1747959456.min.js.json: 331 o
        - wpo-minify-footer-gs-swiper-init1747959457.min.js.json: 329 o
        - wpo-minify-footer-greenShift-aos-lib1747959456.min.js.json: 330 o
        - wpo-minify-footer-gscounter1747959456.min.js.json: 322 o
        - wpo-minify-header-nf-display1747422115.min.css.json: 284 o
        - wpo-minify-header-nf-font-awesome1747422115.min.css.json: 283 o
        - wpo-minify-header-simply-gallery-block-frontend1747422138.min.css.json: 304 o
        - wpo-minify-footer-gspb_map1747959456.min.js.json: 325 o
        - wpo-minify-footer-gsvideo1747959457.min.js.json: 338 o
    WebP redirection rules: Redirection is disabled
    Plugin settings: {
      "epoch_date": 1748014442865,
      "local_date": "23/05/2025 17:34:02",
      "network_site_url": "https://ckmer.org",
      "data": {
        "cache_settings": {
          "enable_page_caching": 1,
          "auto_preload_purged_contents": 1,
          "enable_mobile_caching": 1,
          "enable_user_caching": 0,
          "page_cache_length_value": "30",
          "page_cache_length_unit": "days",
          "enable_schedule_preload": 1,
          "preload_schedule_type": "wpo_use_cache_lifespan",
          "cache_exception_urls": [
            "/robots.txt",
            "/symposium-inscriptions/",
            "/symposium-info/",
            "/calendrier/",
            "/cal_test/",
            "/assemblee-generale-ckmer-2024-leporge/",
            "https://ckmer.org/test-map-page/"
          ],
          "cache_exception_cookies": [
            ""
          ],
          "cache_exception_conditional_tags": [
            ""
          ],
          "cache_exception_browser_agents": [
            "SecurityHeaders.com",
            "observatory.mozilla.org"
          ]
        },
        "minify_settings": {
          "enabled": "true",
          "enable_js": "true",
          "enable_css": "true",
          "html_minification": "false",
          "enable_js_minification": "true",
          "exclude_js": "/wp-content/plugins/ninja-forms/assets/js/*\r\n/wp-content/plugins/simply-gallery-block/blocks/pgc_sgb.min.js\r\n/test-map-page/",
          "enable_defer_js": "individual",
          "async_js": "",
          "defer_js_type": "defer",
          "exclude_delay_js": "",
          "enable_merging_of_js": "false",
          "enable_js_trycatch": "false",
          "exclude_js_from_page_speed_tools": "false",
          "defer_jquery": "false",
          "enable_delay_js": "false",
          "enable_preload_js": "false",
          "enable_css_minification": "true",
          "remove_print_mediatypes": "true",
          "exclude_css": "",
          "async_css": "",
          "enable_merging_of_css": "false",
          "inline_css": "false",
          "exclude_css_from_page_speed_tools": "false",
          "enable_display_swap": "true",
          "gfonts_method": "inherit",
          "fawesome_method": "inherit",
          "disable_google_fonts_processing": "false",
          "remove_googlefonts": "false",
          "enable_analytics": "false",
          "merge_inline_extra_css_js": "true",
          "disable_when_logged_in": "true",
          "emoji_removal": "true",
          "default_protocol": "https",
          "clean_header_one": "false",
          "cache_lifespan": "30",
          "minify_advanced_tab": "1",
          "debug": "false",
          "edit_default_exclutions": "false"
        },
        "smush_settings": {
          "compression_server": "resmushit",
          "image_quality": "85",
          "lossy_compression": true,
          "back_up_original": true,
          "back_up_delete_after": false,
          "back_up_delete_after_days": "50",
          "preserve_exif": false,
          "autosmush": false,
          "show_smush_metabox": false,
          "webp_conversion": false
        },
        "database_settings": "enable-auto-backup-1=true&enable-retention=true&retention-period=2&enable-revisions-retention=true&revisions-retention-count=2&enable-auto-backup-scheduled=true&enable-schedule=true&schedule_type=wpo_weekly&wp-optimize-auto%5Boptimize%5D=true&wp-optimize-auto%5Brevisions%5D=true&wp-optimize-auto%5Bdrafts%5D=true&wp-optimize-auto%5Bspams%5D=true&wp-optimize-auto%5Btransient%5D=true&wp-optimize-auto%5Busermeta%5D=true&_wpnonce_db_settings=0bfda39391&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpo_settings&enable_cache_in_admin_bar=1&_wpnonce=0bfda39391&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpo_settings&wp-optimize-auto[trash]=0&wp-optimize-auto[unapproved]=0&404_detector=0&enable-admin-bar=0"
      }
    }
    Réglages du cache: {
        "enable_page_caching": true,
        "page_cache_length_value": 30,
        "page_cache_length_unit": "days",
        "page_cache_length": 2592000,
        "cache_exception_conditional_tags": [
            ""
        ],
        "cache_exception_urls": [
            "\/robots.txt",
            "\/symposium-inscriptions\/",
            "\/symposium-info\/",
            "\/calendrier\/",
            "\/cal_test\/",
            "\/assemblee-generale-ckmer-2024-leporge\/",
            "https:\/\/ckmer.org\/test-map-page\/"
        ],
        "cache_exception_cookies": [
            ""
        ],
        "cache_exception_browser_agents": [
            "SecurityHeaders.com",
            "observatory.mozilla.org"
        ],
        "enable_sitemap_preload": false,
        "enable_schedule_preload": "1",
        "preload_schedule_type": "wpo_use_cache_lifespan",
        "enable_mobile_caching": "1",
        "enable_user_caching": "0",
        "site_url": "https:\/\/ckmer.org\/",
        "enable_cache_per_country": false,
        "enable_cache_aelia_currency": false,
        "permalink_structure": "\/%postname%\/",
        "uploads": "\/homepages\/42\/d149854795\/htdocs\/clickandbuilds\/ckmerorg\/wp-content\/uploads",
        "gmt_offset": 2,
        "timezone_string": "Europe\/Paris",
        "date_format": "j F Y",
        "time_format": "H:i",
        "use_webp_images": false,
        "show_avatars": 0,
        "host_gravatars_locally": 0,
        "auto_preload_purged_contents": "1",
        "wpo_cache_cookies": [],
        "wpo_cache_query_variables": []
    }
    Webroot .htaccess: # BEGIN All In One WP Security
    #AIOWPS_BASIC_HTACCESS_RULES_START

    	
    		Require all denied
    	
    	
    		Order deny,allow
    		Deny from all
    	

    ServerSignature Off
    LimitRequestBody 104857600

    	
    		Require all denied
    	
    	
    		Order deny,allow
    		Deny from all
    	

    #AIOWPS_BASIC_HTACCESS_RULES_END
    #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START

    	
    		Require all denied
    	
    	
    		Order deny,allow
    		Deny from all
    	

    #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END
    #AIOWPS_DISABLE_TRACE_TRACK_START

    	RewriteEngine On
    	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    	RewriteRule .* - [F]

    #AIOWPS_DISABLE_TRACE_TRACK_END
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_START

    	RewriteEngine On
    	RewriteCond %{HTTP_REFERER} !^$
    	RewriteCond %{REQUEST_FILENAME} -f
    	RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    	RewriteCond %{HTTP_REFERER} !^http(s)?://ckmer\.org [NC]
    	RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

    #AIOWPS_PREVENT_IMAGE_HOTLINKS_END
    # END All In One WP Security

    # BEGIN LSCACHE
    # END LSCACHE
    # BEGIN NON_LSCACHE
    # END NON_LSCACHE

    	AddOutputFilterByType DEFLATE text/plain
    	AddOutputFilterByType DEFLATE text/html
    	AddOutputFilterByType DEFLATE text/xml
    	AddOutputFilterByType DEFLATE text/css
    	AddOutputFilterByType DEFLATE text/cache-manifest
    	AddOutputFilterByType DEFLATE text/javascript
    	AddOutputFilterByType DEFLATE text/vcard
    	AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc
    	AddOutputFilterByType DEFLATE text/vtt
    	AddOutputFilterByType DEFLATE text/x-component
    	AddOutputFilterByType DEFLATE text/x-cross-domain-policy
    	AddOutputFilterByType DEFLATE application/xml
    	AddOutputFilterByType DEFLATE application/xhtml+xml
    	AddOutputFilterByType DEFLATE application/rss+xml
    	AddOutputFilterByType DEFLATE application/javascript
    	AddOutputFilterByType DEFLATE application/x-javascript
    	AddOutputFilterByType DEFLATE application/json
    	AddOutputFilterByType DEFLATE application/ld+json
    	AddOutputFilterByType DEFLATE application/atom+xml
    	AddOutputFilterByType DEFLATE application/manifest+json
    	AddOutputFilterByType DEFLATE application/rdf+xml
    	AddOutputFilterByType DEFLATE application/rss+xml
    	AddOutputFilterByType DEFLATE application/schema+json
    	AddOutputFilterByType DEFLATE application/vnd.geo+json
    	AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    	AddOutputFilterByType DEFLATE application/x-font-ttf
    	AddOutputFilterByType DEFLATE application/x-javascript
    	AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
    	AddOutputFilterByType DEFLATE application/xhtml+xml
    	AddOutputFilterByType DEFLATE font/eot
    	AddOutputFilterByType DEFLATE font/opentype
    	AddOutputFilterByType DEFLATE image/bmp
    	AddOutputFilterByType DEFLATE image/svg+xml
    	AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
    	AddOutputFilterByType DEFLATE image/x-icon



    	ExpiresActive On
    	ExpiresByType text/css A2419200
    	ExpiresByType text/x-component A2419200
    	ExpiresByType application/x-javascript A2419200
    	ExpiresByType application/javascript A2419200
    	ExpiresByType text/javascript A2419200
    	ExpiresByType text/x-js A2419200
    	ExpiresByType text/html A3600
    	ExpiresByType text/richtext A3600
    	ExpiresByType image/svg+xml A3600
    	ExpiresByType text/plain A3600
    	ExpiresByType text/xsd A3600
    	ExpiresByType text/xsl A3600
    	ExpiresByType text/xml A3600
    	ExpiresByType video/asf A2419200
    	ExpiresByType video/avi A2419200
    	ExpiresByType image/bmp A2419200
    	ExpiresByType application/java A2419200
    	ExpiresByType video/divx A2419200
    	ExpiresByType application/msword A2419200
    	ExpiresByType application/vnd.ms-fontobject A2419200
    	ExpiresByType application/x-msdownload A2419200
    	ExpiresByType image/gif A2419200
    	ExpiresByType application/x-gzip A2419200
    	ExpiresByType image/x-icon A2419200
    	ExpiresByType image/jpeg A2419200
    	ExpiresByType application/json A2419200
    	ExpiresByType application/vnd.ms-access A2419200
    	ExpiresByType audio/midi A2419200
    	ExpiresByType video/quicktime A2419200
    	ExpiresByType audio/mpeg A2419200
    	ExpiresByType video/mp4 A2419200
    	ExpiresByType video/mpeg A2419200
    	ExpiresByType application/vnd.ms-project A2419200
    	ExpiresByType application/x-font-otf A2419200
    	ExpiresByType application/vnd.ms-opentype A2419200
    	ExpiresByType application/vnd.oasis.opendocument.database A2419200
    	ExpiresByType application/vnd.oasis.opendocument.chart A2419200
    	ExpiresByType application/vnd.oasis.opendocument.formula A2419200
    	ExpiresByType application/vnd.oasis.opendocument.graphics A2419200
    	ExpiresByType application/vnd.oasis.opendocument.presentation A2419200
    	ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2419200
    	ExpiresByType application/vnd.oasis.opendocument.text A2419200
    	ExpiresByType audio/ogg A2419200
    	ExpiresByType application/pdf A2419200
    	ExpiresByType image/png A2419200
    	ExpiresByType application/vnd.ms-powerpoint A2419200
    	ExpiresByType audio/x-realaudio A2419200
    	ExpiresByType image/svg+xml A2419200
    	ExpiresByType application/x-shockwave-flash A2419200
    	ExpiresByType application/x-tar A2419200
    	ExpiresByType image/tiff A2419200
    	ExpiresByType application/x-font-ttf A2419200
    	ExpiresByType application/vnd.ms-opentype A2419200
    	ExpiresByType audio/wav A2419200
    	ExpiresByType audio/wma A2419200
    	ExpiresByType application/vnd.ms-write A2419200
    	ExpiresByType application/font-woff A2419200
    	ExpiresByType application/vnd.ms-excel A2419200
    	ExpiresByType application/zip A2419200



    	RewriteEngine On
    	RewriteBase /
    	
    	RewriteCond %{SERVER_PORT} 80
    	RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    	
    	RewriteRule ^index\.php$ - [L]
    	RewriteCond %{REQUEST_FILENAME} !-f
    	RewriteCond %{REQUEST_FILENAME} !-d
    	RewriteRule . /index.php [L]


    AddHandler x-mapp-php5.5  .php

    # BEGIN WordPress
    # Les directives (lignes) entre « BEGIN WordPress » et « END WordPress » sont générées
    # dynamiquement, et doivent être modifiées uniquement via les filtres WordPress.
    # Toute modification des directives situées entre ces marqueurs sera surchargée.

    	RewriteEngine On
    	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    	RewriteBase /
    	RewriteRule ^index\.php$ - [L]
    	RewriteCond %{REQUEST_FILENAME} !-f
    	RewriteCond %{REQUEST_FILENAME} !-d
    	RewriteRule . /index.php [L]


    # END WordPress
    # BEGIN FRedirect_ErrorDocument
    # Les directives (lignes) entre 'BEGIN FRedirect_ErrorDocument' et 'END FRedirect_ErrorDocument' sont
    # généré dynamiquement, et ne doivent uniquement être modifiées via les filtres WordPress.
    # Toute modification des directives entre ces marqueurs sera outrepassée.
    ErrorDocument 404 /index.php?error=404
    # END FRedirect_ErrorDocument


    	RewriteEngine On
    	RewriteCond %{SERVER_PORT} 80
    	RewriteRule ^(.*)$ https://ckmer.org/$1 [R=301,L]





    # BEGIN Headers Security Advanced & HSTS WP 5.0.44

    	Header set Access-Control-Allow-Methods "GET,POST"
    	Header set Access-Control-Allow-Headers "Content-Type, Authorization"
    	Header set Content-Security-Policy "upgrade-insecure-requests;"
    	Header set Cross-Origin-Embedder-Policy "unsafe-none; report-to='default'"
    	Header set Cross-Origin-Embedder-Policy-Report-Only "unsafe-none; report-to='default'"
    	Header set Cross-Origin-Opener-Policy "unsafe-none"
    	Header set Cross-Origin-Opener-Policy-Report-Only "unsafe-none; report-to='default'"
    	Header set Cross-Origin-Resource-Policy "cross-origin"
    	Header set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"
    	Header set Referrer-Policy "strict-origin-when-cross-origin"
    	Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    	Header set X-Content-Security-Policy "default-src 'self'; img-src *; media-src * data:;"
    	Header set X-Content-Type-Options "nosniff"
    	Header set X-Frame-Options "SAMEORIGIN"
    	Header set X-Permitted-Cross-Domain-Policies "none"

    # END Headers Security Advanced & HSTS WP

    ### WordPress ###

    Version: 6.8.1
    URL de la page d’accueil: https://ckmer.org
    URL du site: https://ckmer.org
    Structure des permaliens: /%postname%/
    Est-ce que ce site utilise HTTPS ?: Oui


    ### Extensions avancées ###

    advanced-cache.php: Extension de cache avancée.

    ### Thème actif ###

    Nom: Greenshift (greenshift)
    Version: 2.6.4

    ### Extensions actives ###

    Akismet Anti-spam: Spam Protection: Version 5.4 par Automattic - Anti-spam Team | Mises à jour auto désactivées
    All-In-One Security (AIOS): Version 5.4.1 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivées
    Better YouTube Embed Block: Version 1.1.2 par Phi Phan | Mises à jour auto désactivées
    Code Snippets: Version 3.6.8 par Code Snippets Pro | Mises à jour auto désactivées
    Converter for Media: Version 6.2.2 par matt plugins | Mises à jour auto désactivées
    Events Manager: Version 6.6.4.4 par Pixelite | Mises à jour auto désactivées
    GA Google Analytics: Version 20250326 par Jeff Starr | Mises à jour auto désactivées
    GreenShift - Animation and Page Builder Blocks: Version 11.5.5 par Wpsoul | Mises à jour auto désactivées
    Greenshift Smart Code AI: Version 0.3 par Wpsoul | Mises à jour auto désactivées
    GTranslate: Version 3.0.8 par Translate AI Multilingual Solutions | Mises à jour auto désactivées
    Headers Security Advanced & HSTS WP: Version 5.0.44 par 🐙 Andrea Ferro | Mises à jour auto désactivées
    Independent Analytics: Version 2.11.4 par Independent Analytics | Mises à jour auto désactivées
    Ninja Forms: Version 3.10.1 par Saturday Drive | Mises à jour auto désactivées
    Redirection: Version 5.5.2 par John Godley | Mises à jour auto désactivées
    SimpLy Gallery Block & Lightbox: Version 3.2.6 par GalleryCreator | Mises à jour auto désactivées
    The SEO Framework: Version 5.1.2 par The SEO Framework Team | Mises à jour auto désactivées
    The SEO Framework - Extension Manager: Version 2.7.1 par The SEO Framework Team | Mises à jour auto désactivées
    UpdraftPlus - Backup/Restore: Version 1.25.5 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivées
    WP-Optimize - Clean, Compress, Cache: Version 4.2.1 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivées
    WP Mail SMTP: Version 4.4.0 par WP Mail SMTP | Mises à jour auto désactivées


    ### Serveur ###

    Architecture serveur: Linux 4.4.400-icpu-101 x86_64
    Serveur web: Apache
    Version de PHP: 8.3.21 (Supporte les valeurs 64 bits)
    PHP SAPI: cgi-fcgi
    Valeur maximale des variables PHP: 1000
    Limite d’exécution PHP: 30
    Limite de mémoire PHP: 268435456
    Temps d’entrée max: -1
    Taille maximale de téléversement de fichier: 67108864
    Taille maximale d’envoi de PHP: 67108864
    Version de cURL: 7.74.0 OpenSSL/1.1.1w
    Heure actuelle: 2025-05-23T15:34:02+00:00

    Plugin Support Damilare

    (@deabiodun)

    10 months, 2 weeks ago

    Thanks for the settings you’ve provided.
    Let me try replicating the issue on my end. Expect feedback on what I find.

    Regards.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Issue setting up Security Headers’ is closed to new replies.