Support » Plugin: Really Simple SSL » how to set security headers correctly?

  • Resolved esmertec

    (@esmertec)


    I keep getting warning in wordpress about security headers. I have performed all the necessary actions from the web server side, but I still see this error. My server settings:
    NGINX conf

    # SSL PCI compliance
        ssl_session_cache   shared:SSL:20m;
        ssl_session_timeout 60m;
        ssl_buffer_size     1400;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
        ssl_dhparam         /etc/ssl/dhparam.pem;
        ssl_ecdh_curve      secp384r1;
        ssl_session_tickets off;
        resolver 8.8.8.8 8.8.4.4  valid=300s ipv6=off;
        resolver_timeout    5s;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header Referrer-Policy no-referrer-when-downgrade;
        add_header X-XSS-Protection "1; mode=block";
        add_header Expect-CT "max-age=7776000, enforce";
        add_header X-Permitted-Cross-Domain-Policies master-only;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Content-Security-Policy "upgrade-insecure-requests";
        add_header Content-Security-Policy-Report-Only "default-src ‘self’";
        add_header Feature-Policy "geolocation ‘none’; camera ‘none’; speaker ‘none’;";

    Aapache2 conf:
    Include /etc/apache2/conf-enabled/security.conf

    @security.conf

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=7776000, enforce"
    Header always set Referrer-Policy: "no-referrer-when-downgrade"
    Header always set Content-Security-Policy "upgrade-insecure-requests"
    </IfModule>

    P.S. mod_headers activated for apache2

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Mark

    (@markwolters)

    Hi @esmertec,

    NGINX uses an nginx.conf file which is usually located in the /etc/nginx/ folder or a specific site configuration file in the etc/nginx/sites-enabled/ folder. the NGINX add_header code should be placed inside the server { } block. See https://really-simple-ssl.com/security-headers-on-nginx/ for detailed instructions.

    Thread Starter esmertec

    (@esmertec)

    Hi @markwolters! The main nginx settings are on my server at /etc/nginx/nginx.conf, I added the server block to the http tag but the problem persists…
    my nginx.conf:

    http {
        server {
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Content-Security-Policy upgrade-insecure-requests;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        add_header Expect-CT 'enforce; max-age=7776000';
        add_header X-Frame-Options "SAMEORIGIN";
        }

    I am using debian 10, maybe I need to install some additional module? I have installed nginx-extras only.

    Plugin Author Mark

    (@markwolters)

    Hi @esmertec,

    strange, the headers should work when set in the server block. You might have to contact your hosting provider about this so they can check why it’s not working.

    Thread Starter esmertec

    (@esmertec)

    Hi @markwolters!
    I am a hosting provider as the web server is running on my pc. I have a suspicion that the rules still work, because the warning in wordress says that the rules are missing in the file .htaccess. How do I check if the headers are doing the right thing?

    Plugin Author Mark

    (@markwolters)

    Hi @esmertec,

    could you check which server you are running? The .htaccess file is only used for Apache servers, if you use NGINX the headers should be added to your NGINX configuration. Alternatively, you can try to enable the ‘Set headers via PHP’ option to set the headers via PHP. This should work if you site does not use caching.

    Thread Starter esmertec

    (@esmertec)

    Hi @markwolters!
    i use hestia cp, it runs apache2 – web server, nginx – reverse proxy server. In this control panel, there are a little strange rules, .htaccess does not accept header rules (the site crashes with a 500 error), so I had to add them to the configuration of apache2 itself. My site uses caching, so, unfortunately, the alternative method does not work…

    Thread Starter esmertec

    (@esmertec)

    And so I solved my problem with security headers, I remembered about this topic. saw the notification letter on my email))

    when using your OWN host, with the HestiaCP site control panel, you need to do the following:
    Nginx.conf SSL PCI compliance section delete completely, instead write the following:

    # SSL PCI compliance
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/dhparam.pem;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
        ssl_ecdh_curve secp384r1;
        ssl_session_timeout  10m;
        ssl_buffer_size     1400;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling_verify on;
        resolver DNS1 DNS2 valid=300s ipv6=off;
        resolver_timeout    5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Expect-CT "max-age=7776000, enforce";
        add_header Referrer-Policy "no-referrer-when-downgrade";
        add_header Content-Security-Policy "upgrade-insecure-requests";

    Apache2.conf In the “Global configuration” section, add the line Include conf-enabled/security.conf, after which we open the security config (/etc/apache2/conf-enabled/security.conf) and add lines to the very end:

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
    # Requires Apache 2.4.36 & OpenSSL 1.1.1
    SSLProtocol -all +TLSv1.3 +TLSv1.2
    SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
    # Older versions
    # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options: "SAMEORIGIN"
    Header always set X-Content-Type-Options: "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=7776000, enforce"
    Header always set Referrer-Policy: "no-referrer-when-downgrade"
    Header always set Content-Security-Policy "upgrade-insecure-requests"
    # Requires Apache >= 2.4
    SSLCompression off
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    # Requires Apache >= 2.4.11
    SSLSessionTickets Off

    ATTENTION, in order for the header settings in Apache to work, you will need to enable headers_mod if you have not already done this, to enable it in the console enter the command:
    # a2enmod headers

    Well, in the end, you need to make a change to the .htaccess file, although as far as I understand this was no longer necessary because changes were made at the server level, but still. Looking for a section <IfModule mod_headers.c> if it is not there, we add it ourselves, and specify in it the same parameters that were specified in the apache2 security configuration:

    <IfModule mod_headers.c>
        Header set Referrer-Policy "no-referrer-when-downgrade"
        Header set Strict-Transport-Security "max-age=63072000"
        Header set X-Frame-Options “SAMEORIGIN”
        Header set X-Content-Type-Options "nosniff"
        Header set X-XSS-Protection "1; mode=block"
        Header set Expect-CT "max-age=7776000, enforce"
        Header set Content-Security-Policy "upgrade-insecure-requests"
    </IfModule>

    restart nginx and apache2 services, all headers will work fine!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘how to set security headers correctly?’ is closed to new replies.