If you have our WordPress plugin installed, we will automatically try to inject the security headers into the response.
If this does not work, perhaps due to an aggressive caching plugin or caching/proxy server, you may have to add the .htaccess rules below manually to your .htaccess file.
Adding the security headers automatically
To add the security headers automatically you need to navigate to app or Patchstack plugin in your WordPress dashboard.
How to do it via Patchstack plugin?
Navigate to your WordPress dashboard
On the left side menu find Settings
Under Settings find Security
From the Patchstack plugin menu click Firewall
Scroll down until you see .htaccess Features
Tick the green box "Add security headers"
Scroll down and Save settings
How to do it in Patchstack app?
Click on the site you want to add security headers to from Portal dashboard
Scroll down and find the Hardening tab
From the Hardening options choose Firewall tab
Click the option "Add security headers"
Scroll down and click Save settings
Adding the security headers manually
If you do not have a WordPress site or do not want to use our plugin, you can manually add the following security headers into the .htaccess file if you use Apache:
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=31536000"
Header unset X-Powered-By
If you are running nginx, add the following to the configuration file and restart or reload nginx:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000";
add_header Referrer-Policy "strict-origin-when-cross-origin";
Additionally, in order to permanently remove the X-Powered-By header instead of using above changes, set the expose_php value of your PHP configuration to "Off". You may have to ask your host to make above changes.
Note that it may take up to 12 hours before the security headers error in the portal is resolved. Or click on the "Rescan Site" button when you view your site in our portal.