SSL & Security Headers

How-to obtain an A+ rating for your website

There are many detailed tutorials on the web around the subject, below a short summary of the steps which were needed to obtain an A+ rating from SSL Labs and Security Headers.com.

When you move your website to https (SSL), you need to ensure all http requests are converted to https. Add the lines below to your webservers .htaccess file to enforce a redirect to https:

# Redirect HTTP to HTTPS
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

To obtain an A+ rating on securityheaders.com, you need to implement a few steps in your webservers .htaccess file. The Content Security Policy (last line) might require additional settings depending on your theme, plugins, etc., open your Web Inspector in your webbrowser to see which content is being blocked:

# Header Options
 <IfModule mod_headers.c>
  Header always append X-Frame-Options SAMEORIGIN
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Content-Type-Options nosniff
  Header set Referrer-Policy: no-referrer-when-downgrade
  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
  Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com ;font-src 'self' fonts.googleapis.com fonts.gstatic.com"
 </IfModule>

On some directories you might want to have different, or perhaps no Content-Security-Policy at all. For those directories simply add a .htaccess file with the following rule:

 <IfModule mod_headers.c>
Header unset Content-Security-Policy
 </IfModule>