Author Topic: Security headers are missing  (Read 2906 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
Security headers are missing
« on: September 24, 2020, 06:06:23 PM »
Today I did a test using the following site:
https://www.webpagetest.org/

I received a "D" for security score:
❌ The following security headers are missing from the website:

medium severity
X Frame Options
Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location

high severity
Content Security Policy
A computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
Content Security Policy documentation

low severity
X XSS Protection

A Cross-site scripting filter

How do I add these? They should be included as part of the original setup.

There is an earlier thread on this from 2 yrs ago, but the recommended fix crashes the website.
Peter Nyiri
FunnelXpert