@eris
i just add:
Include conf-enabled/security.conf
it worked apart from I had to comment out:
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" #Header always set X-Frame-Options DENY #Header always set X-Content-Type-Options nosniff
Hi All finally managed to activate the below Headers
The mod headers needed to activate so on the command line I wrote
sudo a2enmod headers
and than added below to /etc/apache2/conf-enabled/security.conf
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none';"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header always set Feature-Policy "fullscreen 'none' "
</IfModule>
don’t forget to add to /etc/apache2/apache2.conf below
Include conf-enabled/security.conf
and sudo systemctl reload apache2 on the command line
it will work 
glad it works for you, but as others pointed out, be careful with editing the main config files, as they potentially could be overwritten by future upgrades. always create additional custom configs and let them be included by the given options inside the main configs.
also about the no-sniff, and same-origin directives: I can only recommend being very careful with that as well. lot of common CMS and frameworks tend to set these things within their own rules/.htacces/etc. so you might end up with having them doubled up, which again might lead browser to further complains (had that case before).
sometimes one can simply overdo or overthink things, just to get the impression of seeing a green light on someone else testing suite that might change soon anyway (pagespeed and co come to mind).
just saying, don’t blindly trust every bs written on such testing pages 
Hi @falzo you are very right! I did think about it after achieving this as the Vstats stopped working.
The solution has to be within .htaccess or the actual Cms indivitually as you said.
next i will implment on .htaccess I think
So one way of re-using code on a per-domain basis is to symlink to it.
Example: you put your security code into a file, say /etc/apache2/snippets/header-security.conf
Then for each domain you want to activate it for, you make a symlink eg
ln -s /etc/apache2/snippets/header-security.conf /home/user/conf/web/domain.com/apache2.conf_headers
and probably another one for the ssl config
ln -s /etc/apache2/snippets/header-security.conf /home/user/conf/web/domain.com/apache2.ssl.conf_headers
This works because the two apache configs will automatically include any files starting apache2.conf_ or apache2.ssl.conf_ in that directory.
apachectl -t to test the config before you restart.
Hi all! I keep getting warning in wordpress about security headers. I have performed all the necessary actions from the web server side, but I still see this error. My server settings:
NGINX conf:
# SSL PCI compliance
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_buffer_size 1400;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers “blablabla ciphers keys =)”;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Content-Type-Options “nosniff”;
add_header Expect-CT ‘enforce; max-age=7776000’;
add_header X-Frame-Options “SAMEORIGIN”;
apache2.conf:
Include conf-enabled/security.conf
to the file security.conf at the very end, I added the rules:
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header always set Content-Security-Policy “upgrade-insecure-requests”
at the same time, I constantly see an error in wordpress (see screenshot)
root@geek-speak:/etc/apache2/conf-enabled# curl -I https://mydomain
HTTP/2 200
date: Fri, 18 Jun 2021 11:34:34 GMT
content-type: text/html; charset=UTF-8
content-length: 175840
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
expect-ct: max-age=7776000, enforce
referrer-policy: no-referrer-when-downgrade
content-security-policy: upgrade-insecure-requests
last-modified: Thu, 17 Jun 2021 07:53:13 GMT
etag: “2aee0-5c4f17fc59563”
accept-ranges: bytes
vary: Accept-Encoding
referrer-policy: no-referrer-when-downgrade
pragma: public
cache-control: max-age=3600, public
strict-transport-security: max-age=15768000;
Do you have htst check box enabled?
yep. this check box is worth
removed the htst checkbox in the control panel, now the command curl -I https://mydomain output looks like this:
HTTP/2 200
date: Mon, 21 Jun 2021 05:59:54 GMT
content-type: text/html; charset=UTF-8
content-length: 175840
vary: Accept-Encoding
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
expect-ct: max-age=7776000, enforce
referrer-policy: no-referrer-when-downgrade
content-security-policy: upgrade-insecure-requests
last-modified: Thu, 17 Jun 2021 07:53:13 GMT
etag: “2aee0-5c4f17fc59563”
accept-ranges: bytes
vary: Accept-Encoding
referrer-policy: no-referrer-when-downgrade
pragma: public
cache-control: max-age=3600, public
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: upgrade-insecure-requests
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
expect-ct: enforce; max-age=7776000
x-frame-options: SAMEORIGIN
But the warning about not working headers in wordpress still says that they are not installed. I suspect it is doing validation specifically in the .htaccess file, but not in the apache2 + nginx configs?
Hi, I’m new to Hestia and also to Nginx so I’m still on the learning curve.
I try to figure out how to implement the security headers too.
I just installed it on fresh Ubuntu 20.04.4 LTS
Hestia is installed without Apache, just Nginx as the webserver ( installed version 1.21.6)
I tried as I saw in previous answers by editing NGINX conf and adding the headers on the SSL PCI compliance block.
tested config and restarted.
Nothing happened on page headers output.
I struggled for a few hours reading other tutorials and documentation too, but without success.
only HSTS from Edit Web Domain is working.
Please can you give me a hint where to look forward?
Thks
Would you pls detail what exact headers you are trying to impliment?
Where are you putting them?
Do you want them globally for all websites or just selected ones? If only selected you should look at editing web templates.
If you seek help, pls post clearly with what you want to achieve, what actions you did so far etc.
A good night’s sleep, reading again the comments and your hint took me in the right direction.
My conclusion:
If we add the security headers in /etc/nginx/nginx.conf, these will be globally active at the server level.
! if we check the HSTS checkbox in Edit Web Domain, the headers declared in nginx.conf are ignored and only the HSTS header remains. As a result for a website where we want a specific configuration, we should add them in home/user/conf/web/domain/
Thank you mehargags
