intcultcom
(Steve Revere)
1
So I’m about to add some security headers to my MainWP website:
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy no-referrer-when-downgrade
Header set Content-Security-Policy default-src 'none'; script-src 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; base-uri 'self'; script-src-elem 'self' 'unsafe-inline'; form-action 'self'; font-src 'self' data:;
If I add those to the .htaccess file, will it mess up any connections?
Thanks!
7thcircle
(Eric Leuthardt)
2
Those headers will not cause any issues, but they are not the best. Try the ones I added here and be careful with any CSP you set
Header always edit Set-Cookie ^(.*)$ “$1; HttpOnly; Secure”
Header set Referrer-Policy “strict-origin-when-cross-origin”
Header set X-XSS-Protection “0”
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Cross-Origin-Embedder-Policy “unsafe-none”
Header set Cross-Origin-Opener-Policy “same-origin-allow-popups”
Header set Cross-Origin-Resource-Policy “cross-origin”
Header set X-Robots-Tag “noindex, nofollow, nosnippet, noimageindex” always;
1 Like
intcultcom
(Steve Revere)
3
Thank you @7thcircle !!!
I’ll keep investigating and try to get my CSP right as well.
1 Like
system
(system)
Closed
4
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.