Today I did a test using the following site:
https://www.webpagetest.org/I received a "D" for security score:
❌ The following security headers are missing from the website:
medium severity
X Frame Options
Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location
high severity
Content Security Policy
A computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
Content Security Policy documentation
low severity
X XSS Protection
A Cross-site scripting filter
How do I add these? They should be included as part of the original setup.
There is an earlier thread on this from 2 yrs ago, but the recommended fix crashes the website.