Really Simple SSL

How to find where security headers are set

Table of Contents

You were probably directed to this page because Really Simple SSL told you that you have a non-recommended security header set by another method. Really Simple SSL will not set security headers if they are already set by another method. The problem lies in the fact that most security headers may only be set once. If they are set multiple times browsers may ignore the header altogether.

This article explains the different locations where security headers can be set so you can remove them and let Really Simple SSL set them to the recommended settings. A good way to check what security headers are set outside Really Simple SSL is to disable all security headers in Really Simple SSL, go to https://securityheaders.com and run the check against your site. Please note that (although this is not usually the case) security headers can be set differently for every page. If you get unexpected results check different pages on you website.

There are basically three locations where security headers for your WordPress website can be set:

  1. Server configuration files (.htaccess, httpd.conf, nginx.conf)
  2. PHP files (like wp-config.php, functions.php or in a plugin like Really Simple SSL)
  3. If you use a reverse proxy service like Cloudflare you can also set the security headers in different locations in their configuration

If you want to manually remove security headers you need to know what to server software your site is running on. When using Really Simple SSL you can this information on the settings page. There will be an indicator saying “apache” or “nginx”.

Apache
If your site is using apache you will need to look for the .htaccess file in the root folder of your website. You can use a file manager plugin to do that. Open the file in edit mode and locate the line starting with “header set” followed by the header you want to remove and delete the entire line. Note: If you have not set the header in .htaccess yourself, this may have been done by a plugin. You will probably need to change a setting or remove that plugin to prevent the security header from re-appearing in .htaccess.
If the security header is not set in .htaccess it may be set in the http.conf file, on shared hosting platforms you usually do not have access to the httpd.conf file and will need to ask your webhoster to remove security headers set in that file.

Nginx
The config files for nginx can be in many different locations. On shared hosting platforms you usually do not have access to the nginx.conf files and will need to ask your webhoster to remove security headers set in those files.

PHP files
There are plugins that set headers in their own php files or in wp-config.php or your themes functions.php, and even some plugins that did this for you. If you cannot find where security headers were set you could check these files for lines that set those headers. Note: If you have not set the header in the wp-config.php or functions.php, this may have been done by a plugin. You will probably need to change a setting or remove that plugin to prevent the security header from re-appearing.

Peter Tak

Peter Tak

Related articles

Leave a Reply

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!