If you have our WordPress plugin installed, we will automatically try to inject the security headers into the response. If this does not work, you may have to review the permission (chmod) settings of the .htaccess file in the root of your website through FTP or a file manager in CPanel/WHM/Plesk. Generally, it is set to 644. However in certain scenarios it is required to chmod this to 755, 775 or even 777 (in case the host has not properly configured the group/owner settings on your hosting account) depending on the hosting environment. 

After you change the permission of the .htaccess file to one of above settings, deactivate and activate our plugin and it should be injected into the response.

If you do not have a WordPress site or do not want to use our plugin, you can manually add the following security headers into the .htaccess file if you use Apache:
<IfModule mod_headers.c>
   Header set Referrer-Policy "strict-origin-when-cross-origin"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Content-Type-Options "nosniff"
   Header set X-Frame-Options "SAMEORIGIN"
   Header set Strict-Transport-Security "max-age=31536000"
   Header unset X-Powered-By

If you are running nginx, add the following to the configuration file and restart or reload nginx:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;  
add_header X-XSS-Protection "1; mode=block";  
add_header Strict-Transport-Security "max-age=31536000";
add_header Referrer-Policy "strict-origin-when-cross-origin";

Additionally, in order to permanently remove the X-Powered-By header instead of using above changes, set the expose_php value of your PHP configuration to "Off". You may have to ask your host to make above changes.

Note that it may take up to 12 hours before the security headers error in the portal is resolved. Or click on the "Rescan Site" button when you view your site in our portal.

Did this answer your question?