How to add security headers with Patchstack?
If you have the Patchstack plugin installed, we will automatically try to inject the security headers into the response.
Because these headers can be injected into the HTTP response at runtime, they may not appear in your .htaccess file even when they are active. To confirm which headers are being sent, check the live response (for example with securityheaders.com) instead of reading .htaccess. Avoid adding the same headers both automatically and manually, or you may end up with duplicate headers. For how these settings relate to each other, see How hardening and security headers work.
If this does not work, perhaps due to an aggressive caching plugin or caching/proxy server, you may have to manually add the .htaccess rules below to your .htaccess file.
Adding the security headers automatically
Section titled “Adding the security headers automatically”To automatically add the security headers, you need to navigate to the Patchstack App or Patchstack plugin in your WordPress dashboard.
How to do it in the Patchstack App?
- Navigate to your site from the Patchstack App > Sites
- Click on the Hardening tab
- Click on the .htaccess sub-tab
- Switch on the option “Add security headers”
- Scroll down and click Save settings
Adding the security headers manually
Section titled “Adding the security headers manually”You can manually add the following security headers into the .htaccess file if you use Apache:
<IfModule mod_headers.c> Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set Strict-Transport-Security "max-age=31536000" Header unset X-Powered-By </IfModule>
If you are running nginx, add the following to the nginx configuration file and restart or reload nginx:
add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000"; add_header Referrer-Policy "strict-origin-when-cross-origin";
Additionally, in order to permanently remove the X-Powered-By header instead of using the above changes, set the expose_php value of your PHP configuration to “Off”. You may have to ask your host to make the above changes.
More help
Section titled “More help”A more detailed guide about security headers can be found in this article: https://patchstack.com/articles/wordpress-security-headers/
In case you need help, turn to our support chat - just click the green chat bubble at the bottom right corner!