Table of Contents
SSL is an additional layer of security on your site. But to optimize your site security, we recommend to use several important security headers on your site as well. To implement them, you can add the headers as listed below to your website’s .htaccess file. Please make sure to replace the double quotes in each line with a normal one, as WordPress changes it into a fancy one that doesn’t work in .htaccess files.
Hosts not supporting .htaccess security headers
There are several configurations where security headers can’t be configured with the .htaccess file. This includes hosts who don’t support this in the .htaccess file or other servers than Apache, like NGINX, or load balanced configurations. Really Simple SSL pro can configure headers for you with PHP as well, which bypasses the .htaccess requirement. If the below instructions don’t work for you, please read more about this in the dedicated article.
An important header you can add is HSTS, and HSTS preload, which prevents your website users to load a fake version of your website, created by a hacker. But there are more ways to break into a site. To make this as hard as possible, we recommend adding the below headers to your site.
The Upgrade-Insecure-Requests header provides an additional method to force http:// requests on your own domain to https://. All http:// requests will be automatically upgraded to https:// when this header is enabled.
Expect-CT, Certificate Transparency
No Referrer When Downgrade header
Content Security Policy
Read the instructions carefully first. When in reporting mode, CSP can slow down your site, as the reports are fired to your server, and saved using the CSP api. If you notice performance issues, please disable reporting only on low traffic moments, until you have gathered enough data to start enforcing.
The Feature Policy header is a security header that controls which browser features can be used. Besides implementing these rules for your own content it can also prevent external iframes from using these browser features, making it a powerful header to secure your site.
The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features. This will be released in Really Simple SSL 4.1 before depracation.
This is a security header which prevents a fraudulent SSL certificate to get loaded. We won’t be adding this one, as it’s a pretty advanced one, with many risks and possible issues, and which is also deprecated by Google, essentially killing this header in my opinion.
The internet will be relying on Expect CT instead of PKP.
The Cross-Origin Policies security headers contain the following headers Cross-Origin Resource Sharing (CORS), Cross-Origin Resource Policy (CORP), Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Opener-Policy (COOP). For more information about these headers see our dedicated Cross-Origin Security Headers article.