SSL & Security Headers
How-to obtain an A+ rating for your website
There are many detailed tutorials on the web around the subject, below a short summary of the steps which were needed to obtain an A+ rating from SSL Labs and Security Headers.com or a certified report from Websiteplanet
When you move your website to https (SSL), you need to ensure all http requests are converted to https. Add the lines below to your webservers .htaccess file to enforce a redirect to https:
# Redirect HTTP to HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
To obtain an A+ rating on securityheaders.com, you need to implement a few steps in your webservers .htaccess file. The Content Security Policy (last line) might require additional settings depending on your theme, plugins, etc., open your Web Inspector in your webbrowser to see which content is being blocked:
# Header Options <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Referrer-Policy: no-referrer-when-downgrade Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com ;font-src 'self' fonts.googleapis.com fonts.gstatic.com" </IfModule>
On some directories you might want to have different, or perhaps no Content-Security-Policy at all. For those directories simply add a .htaccess file with the following rule:
<IfModule mod_headers.c> Header unset Content-Security-Policy </IfModule>