You can scan your website here (don’t forget to check ‘hide result’): https://securityheaders.com
Then add the following code to your .htaccess or directly inside de server configuration file if you have access to it:
# https://htaccessbook.com/important-security-headers <IfModule mod_headers.c> # The Strict-Transport-Security (HSTS) header instructs modern browsers to always connect via HTTPS (secure connection via SSL/TLS), and never connect via insecure HTTP (non-SSL) protocol. While there are variations to how this header is configured, the most common implementation looks like this: Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" #Header add Content-Security-Policy "default-src 'self';" # => ne pas l'activer car pose probleme dans wordpress #The X-Frame-Options (XFO) security header helps modern web browsers protect your visitors against clickjacking and other threats. Here is the recommended configuration for this header Header set X-Frame-Options "SAMEORIGIN" # With that in mind, the Referrer-Policy enables you to control whether or not the Referer header is included with the request. Here is an example showing how to add the Referrer-Policy header via Apache: Header set Referrer-Policy "same-origin" # The X-XSS-Protection security header enables the XSS filter provided by modern web browsers (IE8+, Chrome, Firefox, Safari, et al). Here is the recommended configuration for this header: Header set X-XSS-Protection "1; mode=block" # The X-Content-Type-Options security header enables supportive browsers to protect against MIME-type sniffing exploits. It does this by disabling the browser’s MIME sniffing feature, and forcing it to recognize the MIME type sent by the server. This header is very flexible and may be configured extensively, however the most common implementation looks like this: Header set X-Content-Type-Options "nosniff" Header set Feature-Policy "geolocation 'self'; vibrate 'none'" #Permissions Policy Header set Permissions-Policy "accelerometer=(), geolocation=('self'), fullscreen=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=('self')" </IfModule>
Now it’s better:
Leave a Reply