fbpx

HTTPS Security Settings for Apache

Well I got into some interesting spaces when I found this site :

https://securityheaders.com

and https://hstspreload.org

In order to get an A+ rating for my blog, I went through all the suggested routines and while I won’t detail them, below is what I have landed on for what works on my WordPress site.

Inject this into your .htaccess file on your Apache webserver

Header set Content-Security-Policy “upgrade-insecure-requests”

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Header set X-Xss-Protection “1; mode=block”

Header set Referrer-Policy “strict-origin”

Header set Permissions-Policy “geolocation=self”

Header set Access-Control-Allow-Origin “https://*yoursite.com*”

Header set Cross-Origin-Embedder-Policy “unsafe-none”

Header set Cross-Origin-Opener-Policy “unsafe-none”

Header set Cross-Origin-Resource-Policy “same-site”