How to find where (unwanted) security headers are set

In some cases you may be unable to change a security header from within Really Simple SSL because the settings is disabled.
You may even get the following warning in the Really Simple SSL dashboard: “The … security header is not set by Really Simple SSL, but has a non-recommended value: “…”

This means that the header was set by other means, sometimes incorrectly or with non-recommended values. If we find an incorrectly set header or a header that is not set according to our recommendations a notice will be displayed in the Really Simple SSL dashboard. We highly recommend removing the security headers from all other locations and to let Really Simple SSL Pro handle them for you.

This article explains the different locations where security headers can be set so you can remove them and let Really Simple SSL set them to the recommended settings.

Please note that (although this is not usually the case) security headers can be set differently for every page. If you get unexpected results check different pages on your website.

It is impossible for us to change security headers set by other means. We can detect what your headers are but not where or how they were set. You will have to find the location where the header is set yourself if you want to fix it. We are sorry but we cannot assist you with changing security headers set by other means. You may be able to get support from your web hosting service in locating and disabling or changing incorrectly set security headers.

To check what security headers are set you can use

Locations for security headers

There are basically three locations where security headers for your WordPress website can be set and the last header set is the header that will be active. The order in which headers are set is:

  1. Plugins or PHP files (like wp-config.php, functions.php or in a plugin like Really Simple SSL)
  2. Server configuration files (.htaccess, httpd.conf, nginx.conf)
  3. Proxy or Content Delivery Network services like Cloudflare

Plugins or PHP files

There are plugins that set headers in their own PHP files or in wp-config.php or your themes functions.php. If you cannot find where security headers were set you could check these files for lines that set those headers. Note: If you cannot find the header in the wp-config.php or functions.php, the header may be set inside a plugin. You will then need to change a setting or remove that plugin to prevent the security header from re-appearing.

Apache & Litespeed

If your site is using Apache you will need to look for the .htaccess file* in the root folder of your website. You can use a file manager plugin to do that. Open the file in edit mode and locate the line starting with “header (always) set” followed by the header you want to remove and delete the entire line.

Note: If you have not set the header in .htaccess yourself, this may have been done by a plugin. If that is the case you will need to change a setting or remove that plugin to prevent the security header from re-appearing in .htaccess. If the security header is not set in .htaccess it may be set in the httpd.conf file, on shared hosting platforms you will not have access to the httpd.conf file and will need to ask your web hoster to remove the security headers set in that file.


The config files for Nginx can be in different locations. On shared hosting platforms, you will not have access to the nginx.conf files and will need to ask your web hoster to remove the security headers set in those files.


There are many different ways to set security headers in Cloudflare. There are Cloudflare workers, transform rules, the certificate settings and a few more obscure ways. If you have unwanted security headers set by Cloudflare check this URL for documentation on where they could be set.

*For some configurations it is possible that .htaccess is not directly writable. There will be an error in your Really Simple SSL dashboard. You can fix this issue by reading this article. If you have followed this article, reload the dashboard and the notification should be gone.

Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.