Skip to content

How to fix the missing security headers issue?

In the Patchstack App, this may show up under “improvements” when you view your site.

If you have our WordPress plugin installed, we will automatically try to inject the security headers into the response.

If this does not work, perhaps due to an aggressive caching plugin or caching/proxy server, you may have to manually add the .htaccess rules below to your .htaccess file.

Adding the security headers automatically

To automatically add the security headers, you need to navigate to the Patchstack App or Patchstack plugin in your WordPress dashboard.

How to do it via Patchstack plugin?

  1. Navigate to your WordPress dashboard
  2. On the left side menu find Settings
  3. Under Settings find Security
  4. From the Patchstack plugin menu click Firewall
  5. Scroll down until you see .htaccess Features
  6. Tick the green box "Add security headers"
  7. Scroll down and Save settings

How to do it in the Patchstack App?

  1. Click on the application you want to add security headers to from the Patchstack App dashboard
  2. Click on the Hardening tab
  3. Click on the .htaccess sub-tab
  4. Switch on the option "Add security headers"
  5. Scroll down and click Save settings

Adding the security headers manually

You can manually add the following security headers into the .htaccess file if you use Apache:

<IfModule mod_headers.c>
   Header set Referrer-Policy "strict-origin-when-cross-origin"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Content-Type-Options "nosniff"
   Header set X-Frame-Options "SAMEORIGIN"
   Header set Strict-Transport-Security "max-age=31536000"
   Header unset X-Powered-By

If you are running nginx, add the following to the nginx configuration file and restart or reload nginx:

add_header X-Frame-Options SAMEORIGIN;  
add_header X-Content-Type-Options nosniff;  
add_header X-XSS-Protection "1; mode=block";  
add_header Strict-Transport-Security "max-age=31536000";  
add_header Referrer-Policy "strict-origin-when-cross-origin";

Additionally, in order to permanently remove the X-Powered-By header instead of using the above changes, set the expose_php value of your PHP configuration to “Off”. You may have to ask your host to make the above changes.

Note that it may take up to 12 hours before the security headers error in the App is resolved.