Hey everyone:
Although I added the top snippet to my .htaccess file, my site is still getting an "F" from securityheaders.com for a number of security header issues.
Since this is way over my head, I'm wondering if it might have something to do with how I've configured my .htaccess file. Are there any redundancies or any snippets that could be causing this issue? I've read several articles about security headers and this snippet seems to be a frequent solution offered on them. I'm stumped!
Any thoughts on what I'm missing or need to modify would be greatly appreciated.
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
</IfModule>
Options -Indexes
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://paulmolloydesign.com/$1 [R=301,L]
Redirect 301 /sitemap.xml /sitemap.php
ErrorDocument 404 /error-404/