glad it works for you, but as others pointed out, be careful with editing the main config files, as they potentially could be overwritten by future upgrades. always create additional custom configs and let them be included by the given options inside the main configs.
also about the no-sniff, and same-origin directives: I can only recommend being very careful with that as well. lot of common CMS and frameworks tend to set these things within their own rules/.htacces/etc. so you might end up with having them doubled up, which again might lead browser to further complains (had that case before).
sometimes one can simply overdo or overthink things, just to get the impression of seeing a green light on someone else testing suite that might change soon anyway (pagespeed and co come to mind).
just saying, don’t blindly trust every bs written on such testing pages
Hi @falzo you are very right! I did think about it after achieving this as the Vstats stopped working.
The solution has to be within .htaccess or the actual Cms indivitually as you said.
next i will implment on .htaccess I think
So one way of re-using code on a per-domain basis is to symlink to it.
Example: you put your security code into a file, say /etc/apache2/snippets/header-security.conf
Then for each domain you want to activate it for, you make a symlink eg
ln -s /etc/apache2/snippets/header-security.conf /home/user/conf/web/domain.com/apache2.conf_headers
and probably another one for the ssl config
ln -s /etc/apache2/snippets/header-security.conf /home/user/conf/web/domain.com/apache2.ssl.conf_headers
This works because the two apache configs will automatically include any files starting apache2.conf_ or apache2.ssl.conf_ in that directory.
apachectl -t to test the config before you restart.
Hi all! I keep getting warning in wordpress about security headers. I have performed all the necessary actions from the web server side, but I still see this error. My server settings:
But the warning about not working headers in wordpress still says that they are not installed. I suspect it is doing validation specifically in the .htaccess file, but not in the apache2 + nginx configs?
Hi, I’m new to Hestia and also to Nginx so I’m still on the learning curve.
I try to figure out how to implement the security headers too.
I just installed it on fresh Ubuntu 20.04.4 LTS
Hestia is installed without Apache, just Nginx as the webserver ( installed version 1.21.6)
I tried as I saw in previous answers by editing NGINX conf and adding the headers on the SSL PCI compliance block.
tested config and restarted.
Nothing happened on page headers output.
I struggled for a few hours reading other tutorials and documentation too, but without success.
only HSTS from Edit Web Domain is working.
Please can you give me a hint where to look forward?
Thks
A good night’s sleep, reading again the comments and your hint took me in the right direction.
My conclusion:
If we add the security headers in /etc/nginx/nginx.conf, these will be globally active at the server level.
! if we check the HSTS checkbox in Edit Web Domain, the headers declared in nginx.conf are ignored and only the HSTS header remains. As a result for a website where we want a specific configuration, we should add them in home/user/conf/web/domain/