Title: Issue setting up Security Headers Last modified: May 23, 2025 --- # Issue setting up Security Headers * Resolved [pulpita](https://wordpress.org/support/users/pulpita/) * (@pulpita) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/issue-setting-up-security-headers/) * Hey, * I’m trying to set up Security Headers, but they don’t show up on [securityheaders.com](https://securityheaders.com/) unless I deactivate WP Optimize. I tried different ways (using Headers Security Advanced & HSTS WP or Redirection Plugin ; or directly in the htaccess file). * What are your recommendations to achieve this ? * Thanks !!! Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Support [Damilare](https://wordpress.org/support/users/deabiodun/) * (@deabiodun) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/issue-setting-up-security-headers/#post-18480959) * Hi! Did you purge your site cache after adding the headers? If not, please do so.Also run the preloader afterward at _**WPO > Cache > Preload**_. * Let us know if that helps. * Kind regards. * Thread Starter [pulpita](https://wordpress.org/support/users/pulpita/) * (@pulpita) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/issue-setting-up-security-headers/#post-18481050) * Thanks for your quick reply. * Yes, I did clear the cache after adding the headers. And I just tried again, running the preloader after, but no nothing. And as soon as I deactivate WP Optimize, all the security headers are recognized. * here are my settings : * / * ```wp-block-code ### WP-Optimize information ###Report generation time: 2025-05-23 15:34:02 (Europe/Paris)Cache size: 80 Mo (975 fichiers)Minify size: 670.85 KB (66 files)Logs: - smush-34040a71fc67e45eca43.log: 56 Ko - cache-34040a71fc67e45eca43.log: 149 Ko - wpo-minify-header-greenshift_core_navigation1747959407.min.css.json: 302 o - wpo-minify-header-pgc-simply-gallery-plugin-lightbox-style1747422138.min.css.json: 332 o - wpo-minify-footer-gspb_interactions1747959456.min.js.json: 354 o - wpo-minify-footer-gs-greenpanel1747959456.min.js.json: 344 o - wpo-minify-footer-gsshare1747959457.min.js.json: 340 o - wpo-minify-footer-akismet-frontend1747422009.min.js.json: 314 o - wpo-minify-header-boldblocks-youtube-block-view-script1737503682.min.js.json: 352 o - wpo-minify-footer-gs-toc1747959457.min.js.json: 325 o - wpo-minify-header-jqueryevents-manager1741599477.min.js.json: 327 o - wpo-minify-header-events-managerem-flatpickr-localization1741599476.min.js.json: 349 o - wpo-minify-footer-gs-accordion1747959456.min.js.json: 338 o - wpo-minify-footer-greenshift-inview-bg1747959456.min.js.json: 329 o - wpo-minify-footer-gsflipboxpanel1747959456.min.js.json: 327 o - wpo-minify-footer-gstextanimate1747959456.min.js.json: 331 o - wpo-minify-footer-gs-swiper-init1747959457.min.js.json: 329 o - wpo-minify-footer-greenShift-aos-lib1747959456.min.js.json: 330 o - wpo-minify-footer-gscounter1747959456.min.js.json: 322 o - wpo-minify-header-nf-display1747422115.min.css.json: 284 o - wpo-minify-header-nf-font-awesome1747422115.min.css.json: 283 o - wpo-minify-header-simply-gallery-block-frontend1747422138.min.css.json: 304 o - wpo-minify-footer-gspb_map1747959456.min.js.json: 325 o - wpo-minify-footer-gsvideo1747959457.min.js.json: 338 oWebP redirection rules: Redirection is disabledPlugin settings: { "epoch_date": 1748014442865, "local_date": "23/05/2025 17:34:02", "network_site_url": "https://ckmer.org", "data": { "cache_settings": { "enable_page_caching": 1, "auto_preload_purged_contents": 1, "enable_mobile_caching": 1, "enable_user_caching": 0, "page_cache_length_value": "30", "page_cache_length_unit": "days", "enable_schedule_preload": 1, "preload_schedule_type": "wpo_use_cache_lifespan", "cache_exception_urls": [ "/robots.txt", "/symposium-inscriptions/", "/symposium-info/", "/calendrier/", "/cal_test/", "/assemblee-generale-ckmer-2024-leporge/", "https://ckmer.org/test-map-page/" ], "cache_exception_cookies": [ "" ], "cache_exception_conditional_tags": [ "" ], "cache_exception_browser_agents": [ "SecurityHeaders.com", "observatory.mozilla.org" ] }, "minify_settings": { "enabled": "true", "enable_js": "true", "enable_css": "true", "html_minification": "false", "enable_js_minification": "true", "exclude_js": "/wp-content/plugins/ninja-forms/assets/js/*\r\n/wp-content/plugins/simply-gallery-block/blocks/pgc_sgb.min.js\r\n/test-map-page/", "enable_defer_js": "individual", "async_js": "", "defer_js_type": "defer", "exclude_delay_js": "", "enable_merging_of_js": "false", "enable_js_trycatch": "false", "exclude_js_from_page_speed_tools": "false", "defer_jquery": "false", "enable_delay_js": "false", "enable_preload_js": "false", "enable_css_minification": "true", "remove_print_mediatypes": "true", "exclude_css": "", "async_css": "", "enable_merging_of_css": "false", "inline_css": "false", "exclude_css_from_page_speed_tools": "false", "enable_display_swap": "true", "gfonts_method": "inherit", "fawesome_method": "inherit", "disable_google_fonts_processing": "false", "remove_googlefonts": "false", "enable_analytics": "false", "merge_inline_extra_css_js": "true", "disable_when_logged_in": "true", "emoji_removal": "true", "default_protocol": "https", "clean_header_one": "false", "cache_lifespan": "30", "minify_advanced_tab": "1", "debug": "false", "edit_default_exclutions": "false" }, "smush_settings": { "compression_server": "resmushit", "image_quality": "85", "lossy_compression": true, "back_up_original": true, "back_up_delete_after": false, "back_up_delete_after_days": "50", "preserve_exif": false, "autosmush": false, "show_smush_metabox": false, "webp_conversion": false }, "database_settings": "enable-auto-backup-1=true&enable-retention=true&retention-period=2&enable-revisions-retention=true&revisions-retention-count=2&enable-auto-backup-scheduled=true&enable-schedule=true&schedule_type=wpo_weekly&wp-optimize-auto%5Boptimize%5D=true&wp-optimize-auto%5Brevisions%5D=true&wp-optimize-auto%5Bdrafts%5D=true&wp-optimize-auto%5Bspams%5D=true&wp-optimize-auto%5Btransient%5D=true&wp-optimize-auto%5Busermeta%5D=true&_wpnonce_db_settings=0bfda39391&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpo_settings&enable_cache_in_admin_bar=1&_wpnonce=0bfda39391&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpo_settings&wp-optimize-auto[trash]=0&wp-optimize-auto[unapproved]=0&404_detector=0&enable-admin-bar=0" }}Réglages du cache: { "enable_page_caching": true, "page_cache_length_value": 30, "page_cache_length_unit": "days", "page_cache_length": 2592000, "cache_exception_conditional_tags": [ "" ], "cache_exception_urls": [ "\/robots.txt", "\/symposium-inscriptions\/", "\/symposium-info\/", "\/calendrier\/", "\/cal_test\/", "\/assemblee-generale-ckmer-2024-leporge\/", "https:\/\/ckmer.org\/test-map-page\/" ], "cache_exception_cookies": [ "" ], "cache_exception_browser_agents": [ "SecurityHeaders.com", "observatory.mozilla.org" ], "enable_sitemap_preload": false, "enable_schedule_preload": "1", "preload_schedule_type": "wpo_use_cache_lifespan", "enable_mobile_caching": "1", "enable_user_caching": "0", "site_url": "https:\/\/ckmer.org\/", "enable_cache_per_country": false, "enable_cache_aelia_currency": false, "permalink_structure": "\/%postname%\/", "uploads": "\/homepages\/42\/d149854795\/htdocs\/clickandbuilds\/ckmerorg\/wp-content\/uploads", "gmt_offset": 2, "timezone_string": "Europe\/Paris", "date_format": "j F Y", "time_format": "H:i", "use_webp_images": false, "show_avatars": 0, "host_gravatars_locally": 0, "auto_preload_purged_contents": "1", "wpo_cache_cookies": [], "wpo_cache_query_variables": []}Webroot .htaccess: # BEGIN All In One WP Security#AIOWPS_BASIC_HTACCESS_RULES_START Require all denied Order deny,allow Deny from all ServerSignature OffLimitRequestBody 104857600 Require all denied Order deny,allow Deny from all #AIOWPS_BASIC_HTACCESS_RULES_END#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START Require all denied Order deny,allow Deny from all #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END#AIOWPS_DISABLE_TRACE_TRACK_START RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]#AIOWPS_DISABLE_TRACE_TRACK_END#AIOWPS_PREVENT_IMAGE_HOTLINKS_START RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://ckmer\.org [NC] RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]#AIOWPS_PREVENT_IMAGE_HOTLINKS_END# END All In One WP Security# BEGIN LSCACHE# END LSCACHE# BEGIN NON_LSCACHE# END NON_LSCACHE AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/cache-manifest AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/vcard AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc AddOutputFilterByType DEFLATE text/vtt AddOutputFilterByType DEFLATE text/x-component AddOutputFilterByType DEFLATE text/x-cross-domain-policy AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/ld+json AddOutputFilterByType DEFLATE application/atom+xml AddOutputFilterByType DEFLATE application/manifest+json AddOutputFilterByType DEFLATE application/rdf+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/schema+json AddOutputFilterByType DEFLATE application/vnd.geo+json AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-web-app-manifest+json AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE font/eot AddOutputFilterByType DEFLATE font/opentype AddOutputFilterByType DEFLATE image/bmp AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE image/vnd.microsoft.icon AddOutputFilterByType DEFLATE image/x-icon ExpiresActive On ExpiresByType text/css A2419200 ExpiresByType text/x-component A2419200 ExpiresByType application/x-javascript A2419200 ExpiresByType application/javascript A2419200 ExpiresByType text/javascript A2419200 ExpiresByType text/x-js A2419200 ExpiresByType text/html A3600 ExpiresByType text/richtext A3600 ExpiresByType image/svg+xml A3600 ExpiresByType text/plain A3600 ExpiresByType text/xsd A3600 ExpiresByType text/xsl A3600 ExpiresByType text/xml A3600 ExpiresByType video/asf A2419200 ExpiresByType video/avi A2419200 ExpiresByType image/bmp A2419200 ExpiresByType application/java A2419200 ExpiresByType video/divx A2419200 ExpiresByType application/msword A2419200 ExpiresByType application/vnd.ms-fontobject A2419200 ExpiresByType application/x-msdownload A2419200 ExpiresByType image/gif A2419200 ExpiresByType application/x-gzip A2419200 ExpiresByType image/x-icon A2419200 ExpiresByType image/jpeg A2419200 ExpiresByType application/json A2419200 ExpiresByType application/vnd.ms-access A2419200 ExpiresByType audio/midi A2419200 ExpiresByType video/quicktime A2419200 ExpiresByType audio/mpeg A2419200 ExpiresByType video/mp4 A2419200 ExpiresByType video/mpeg A2419200 ExpiresByType application/vnd.ms-project A2419200 ExpiresByType application/x-font-otf A2419200 ExpiresByType application/vnd.ms-opentype A2419200 ExpiresByType application/vnd.oasis.opendocument.database A2419200 ExpiresByType application/vnd.oasis.opendocument.chart A2419200 ExpiresByType application/vnd.oasis.opendocument.formula A2419200 ExpiresByType application/vnd.oasis.opendocument.graphics A2419200 ExpiresByType application/vnd.oasis.opendocument.presentation A2419200 ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2419200 ExpiresByType application/vnd.oasis.opendocument.text A2419200 ExpiresByType audio/ogg A2419200 ExpiresByType application/pdf A2419200 ExpiresByType image/png A2419200 ExpiresByType application/vnd.ms-powerpoint A2419200 ExpiresByType audio/x-realaudio A2419200 ExpiresByType image/svg+xml A2419200 ExpiresByType application/x-shockwave-flash A2419200 ExpiresByType application/x-tar A2419200 ExpiresByType image/tiff A2419200 ExpiresByType application/x-font-ttf A2419200 ExpiresByType application/vnd.ms-opentype A2419200 ExpiresByType audio/wav A2419200 ExpiresByType audio/wma A2419200 ExpiresByType application/vnd.ms-write A2419200 ExpiresByType application/font-woff A2419200 ExpiresByType application/vnd.ms-excel A2419200 ExpiresByType application/zip A2419200 RewriteEngine On RewriteBase / RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]AddHandler x-mapp-php5.5 .php# BEGIN WordPress# Les directives (lignes) entre « BEGIN WordPress » et « END WordPress » sont générées# dynamiquement, et doivent être modifiées uniquement via les filtres WordPress.# Toute modification des directives situées entre ces marqueurs sera surchargée. RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]# END WordPress# BEGIN FRedirect_ErrorDocument# Les directives (lignes) entre 'BEGIN FRedirect_ErrorDocument' et 'END FRedirect_ErrorDocument' sont# généré dynamiquement, et ne doivent uniquement être modifiées via les filtres WordPress.# Toute modification des directives entre ces marqueurs sera outrepassée.ErrorDocument 404 /index.php?error=404# END FRedirect_ErrorDocument RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://ckmer.org/$1 [R=301,L]# BEGIN Headers Security Advanced & HSTS WP 5.0.44 Header set Access-Control-Allow-Methods "GET,POST" Header set Access-Control-Allow-Headers "Content-Type, Authorization" Header set Content-Security-Policy "upgrade-insecure-requests;" Header set Cross-Origin-Embedder-Policy "unsafe-none; report-to='default'" Header set Cross-Origin-Embedder-Policy-Report-Only "unsafe-none; report-to='default'" Header set Cross-Origin-Opener-Policy "unsafe-none" Header set Cross-Origin-Opener-Policy-Report-Only "unsafe-none; report-to='default'" Header set Cross-Origin-Resource-Policy "cross-origin" Header set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header set X-Content-Security-Policy "default-src 'self'; img-src *; media-src * data:;" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-Permitted-Cross-Domain-Policies "none"# END Headers Security Advanced & HSTS WP### WordPress ###Version: 6.8.1URL de la page d’accueil: https://ckmer.orgURL du site: https://ckmer.orgStructure des permaliens: /%postname%/Est-ce que ce site utilise HTTPS ?: Oui### Extensions avancées ###advanced-cache.php: Extension de cache avancée.### Thème actif ###Nom: Greenshift (greenshift)Version: 2.6.4### Extensions actives ###Akismet Anti-spam: Spam Protection: Version 5.4 par Automattic - Anti-spam Team | Mises à jour auto désactivéesAll-In-One Security (AIOS): Version 5.4.1 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivéesBetter YouTube Embed Block: Version 1.1.2 par Phi Phan | Mises à jour auto désactivéesCode Snippets: Version 3.6.8 par Code Snippets Pro | Mises à jour auto désactivéesConverter for Media: Version 6.2.2 par matt plugins | Mises à jour auto désactivéesEvents Manager: Version 6.6.4.4 par Pixelite | Mises à jour auto désactivéesGA Google Analytics: Version 20250326 par Jeff Starr | Mises à jour auto désactivéesGreenShift - Animation and Page Builder Blocks: Version 11.5.5 par Wpsoul | Mises à jour auto désactivéesGreenshift Smart Code AI: Version 0.3 par Wpsoul | Mises à jour auto désactivéesGTranslate: Version 3.0.8 par Translate AI Multilingual Solutions | Mises à jour auto désactivéesHeaders Security Advanced & HSTS WP: Version 5.0.44 par 🐙 Andrea Ferro | Mises à jour auto désactivéesIndependent Analytics: Version 2.11.4 par Independent Analytics | Mises à jour auto désactivéesNinja Forms: Version 3.10.1 par Saturday Drive | Mises à jour auto désactivéesRedirection: Version 5.5.2 par John Godley | Mises à jour auto désactivéesSimpLy Gallery Block & Lightbox: Version 3.2.6 par GalleryCreator | Mises à jour auto désactivéesThe SEO Framework: Version 5.1.2 par The SEO Framework Team | Mises à jour auto désactivéesThe SEO Framework - Extension Manager: Version 2.7.1 par The SEO Framework Team | Mises à jour auto désactivéesUpdraftPlus - Backup/Restore: Version 1.25.5 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivéesWP-Optimize - Clean, Compress, Cache: Version 4.2.1 par TeamUpdraft, DavidAnderson | Mises à jour auto désactivéesWP Mail SMTP: Version 4.4.0 par WP Mail SMTP | Mises à jour auto désactivées### Serveur ###Architecture serveur: Linux 4.4.400-icpu-101 x86_64Serveur web: ApacheVersion de PHP: 8.3.21 (Supporte les valeurs 64 bits)PHP SAPI: cgi-fcgiValeur maximale des variables PHP: 1000Limite d’exécution PHP: 30Limite de mémoire PHP: 268435456Temps d’entrée max: -1Taille maximale de téléversement de fichier: 67108864Taille maximale d’envoi de PHP: 67108864Version de cURL: 7.74.0 OpenSSL/1.1.1wHeure actuelle: 2025-05-23T15:34:02+00:00 ``` * Plugin Support [Damilare](https://wordpress.org/support/users/deabiodun/) * (@deabiodun) * [10 months, 2 weeks ago](https://wordpress.org/support/topic/issue-setting-up-security-headers/#post-18483747) * Thanks for the settings you’ve provided. Let me try replicating the issue on my end. Expect feedback on what I find. * Regards. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Issue setting up Security Headers’ is closed to new replies. * ![](https://ps.w.org/wp-optimize/assets/icon-256x256.png?rev=1552899) * [WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance](https://wordpress.org/plugins/wp-optimize/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-optimize/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-optimize/) * [Active Topics](https://wordpress.org/support/plugin/wp-optimize/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-optimize/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-optimize/reviews/) * 3 replies * 2 participants * Last reply from: [Damilare](https://wordpress.org/support/users/deabiodun/) * Last activity: [10 months, 2 weeks ago](https://wordpress.org/support/topic/issue-setting-up-security-headers/#post-18483747) * Status: resolved