Title: Client Getting Security Scorecard Issues
Last modified: November 17, 2022

---

# Client Getting Security Scorecard Issues

 *  [seekersharer](https://wordpress.org/support/users/seekersharer/)
 * (@seekersharer)
 * [3 years, 5 months ago](https://wordpress.org/support/topic/client-getting-security-scorecard-issues/)
 * We’re getting tested by securityscorecard.com and the test came back today with
   some issues. This is stronger testing than normal. Wondering how we can edit 
   these?
 * 1. Website Does Not Implement HSTS Best Practices
    Every web application (and
   any URLs traversed to arrive at the website via redirects) should set the HSTS
   header to remain in effect for at least 12 months (31536000 seconds). It is also
   recommended to set the ‘includeSubDomains’ directive so that requests to subdomains
   are also automatically upgraded to HTTPS. An acceptable HSTS header would declare:
   Strict-Transport-Security: max-age=31536000; includeSubDomains;
 * 2. Website does not implement X-Frame-Options Best Practices
    Add one of the 
   following headers, using the ‘DENY’ or ‘ALLOWFROM’ directive, to responses from
   this website: X-Frame-Options: DENY’ X-Frame-Options: ALLOW-FROM [https://example.com/&#8217](https://example.com/&#8217);
 * 3. Content Security Policy Contains Broad Directives.
    Explicitly specify trusted
   sources for your script-src and object-src policies. Ideally you can use the ‘
   self’ directive to limit scripts and objects to only those on your own domain,
   or you can explicitly specify domains that you trust and rely upon for your site
   to function.

The topic ‘Client Getting Security Scorecard Issues’ is closed to new replies.

 * ![](https://ps.w.org/headers-security-advanced-hsts-wp/assets/icon.svg?rev=3102785)
 * [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
 * [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)

## Tags

 * [testing](https://wordpress.org/support/topic-tag/testing/)

 * 0 replies
 * 1 participant
 * Last reply from: [seekersharer](https://wordpress.org/support/users/seekersharer/)
 * Last activity: [3 years, 5 months ago](https://wordpress.org/support/topic/client-getting-security-scorecard-issues/)
 * Status: not resolved