Security Headers — Fix F grade on securityheaders.com #6

Closed
opened 2026-07-02 22:22:28 +00:00 by kutesir · 0 comments
Owner

Summary

Site was scoring F on securityheaders.com with 6 missing HTTP response headers. All 6 have been added via .htaccess.

Problem

Missing headers identified by scan of provoc.ug (which follows redirect to provocgroup.com:443):

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy

Fix

Added to /public_html/.htaccess:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'"
</IfModule>

What each header does

Header Protection
Strict-Transport-Security Forces HTTPS for 1 year, includes subdomains
X-Frame-Options Blocks clickjacking attacks
X-Content-Type-Options Prevents MIME sniffing attacks
Referrer-Policy Controls referrer data sent on navigation
Permissions-Policy Disables camera, mic, geolocation, payment APIs
Content-Security-Policy Whitelists approved content sources, blocks XSS

Note

Server is LiteSpeed (confirmed via x-turbo-charged-by header). LiteSpeed supports Apache-style mod_headers directives in .htaccess.

Status

Deployed — re-scan on securityheaders.com expected to show A or B grade

## Summary Site was scoring **F** on securityheaders.com with 6 missing HTTP response headers. All 6 have been added via `.htaccess`. ## Problem Missing headers identified by scan of provoc.ug (which follows redirect to provocgroup.com:443): - Strict-Transport-Security - Content-Security-Policy - X-Frame-Options - X-Content-Type-Options - Referrer-Policy - Permissions-Policy ## Fix Added to `/public_html/.htaccess`: ```apache <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'" </IfModule> ``` ## What each header does | Header | Protection | |--------|------------| | Strict-Transport-Security | Forces HTTPS for 1 year, includes subdomains | | X-Frame-Options | Blocks clickjacking attacks | | X-Content-Type-Options | Prevents MIME sniffing attacks | | Referrer-Policy | Controls referrer data sent on navigation | | Permissions-Policy | Disables camera, mic, geolocation, payment APIs | | Content-Security-Policy | Whitelists approved content sources, blocks XSS | ## Note Server is LiteSpeed (confirmed via x-turbo-charged-by header). LiteSpeed supports Apache-style mod_headers directives in .htaccess. ## Status ✅ Deployed — re-scan on securityheaders.com expected to show A or B grade
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kutesir/provoc-website#6
No description provided.