Title: HTTP response headers Last modified: April 2, 2018 --- # HTTP response headers * Resolved [barnez](https://wordpress.org/support/users/pidengmor/) * (@pidengmor) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/) * Hi, * I’ve set several HTTP response headers through NFW: * X-Content-Type-Options – YES X-Frame-Options – SAMEORIGIN X-XSS-Protection – YES Strict-Transport-Security – 1 YEAR * If I check the header responses in Chrome I can seem them listed: [https://snag.gy/B67y3v.jpg](https://snag.gy/B67y3v.jpg) * However, if I check through popular HTTP response header scanners they are showing as missing: * [Mozilla Observatory](https://observatory.mozilla.org/analyze/www.englishlc.com&third-party=false) [High Tech Bridge](https://www.htbridge.com/websec/?id=fUi23Adq) [Security Headers](https://securityheaders.io/?q=www.englishlc.com&hide=on&followRedirects=on) * Is something blocking them from reading these headers? * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fhttp-response-headers%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 7 replies - 1 through 7 (of 7 total) * Thread Starter [barnez](https://wordpress.org/support/users/pidengmor/) * (@pidengmor) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10139552) * If I add the rules directly to the main .htaccess file then they are recognised by the scans. * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10140609) * I used htbridge.com to scan a site that has all headers enabled and it returned there were no headers at all. A bit odd. Try to test yourself with the cURL command from a shell: * ``` $ curl -I http(s)://YOUR-BLOG/index.php ``` * The `-I` switch will display headers only. * Thread Starter [barnez](https://wordpress.org/support/users/pidengmor/) * (@pidengmor) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10140635) * Thanks for looking into this. * > Try to test yourself with the cURL command from a shell: * That is outside my skill set I’m afraid. I’m happy to apply these headers through the .htaccess file for now, but wanted to let you know in case this is happening more widely than just in my case. If there is any other testing I can apply that does not involve shell access, just let me know. * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10140772) * I think those scanners scan all links, including static files such as images. Because NF is a PHP firewall, the image response headers will not include the security headers, and thus the scanner tells you they are missing. You can try Firefox “Net” console (other browsers have the same feature more or less): -Press` CTRL + Shift + J` to display the console. -Select the “Net” tabs only. -Go to your website. -Click on the arrow beside the name of the site to display the response headers. * Thread Starter [barnez](https://wordpress.org/support/users/pidengmor/) * (@pidengmor) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10140912) * Ahh. That could be it then. * Oddly, the NFW security headers are showing as present in the Chrome console, but not in the Firefox console. * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 2 months ago](https://wordpress.org/support/topic/http-response-headers/#post-10141344) * Your best option is the cURL shell command: you can run it from SSH, or [from a plugin](https://wordpress.org/plugins/wpterm/), or from a PHP script that you can upload to your site and access it with your browser such as this one: * ```