Really Simple SSL

How to find where (unwanted) security headers are set

Table of Contents

In some cases you may get the warning:

  • “Header x has been set to the non-recommended value “**”, or
  • You tried to disable “header”, but this is not possible because it is set by a third party.

This means that a third party, not Really Simple SSL has set this header, but incorrectly or with non-recommended values. If we find an incorrectly set header or a header that is not set according to our recommendations this notice will be displayed in the Really Simple SSL dashboard. We highly recommend removing the security headers from all other locations and to let Really Simple SSL Pro handle them for you.

Notification for non recommended security headers

This article explains the different locations where security headers can be set so you can remove them and let Really Simple SSL set them to the recommended settings.

Please note that (although this is not usually the case) security headers can be set differently for every page. If you get unexpected results check different pages on your website.

It is impossible for us to change security headers set by others. We also cannot determine where these security headers are coming from. You will have to find the location where the header is set yourself if you want to fix it. We are sorry but we cannot assist you with changing security headers set by other means. You may be able to get support from your web hosting service in locating and disabling or changing incorrectly set security headers

Locations for security headers

There are basically three locations where security headers for your WordPress website can be set:

  1. Server configuration files (.htaccess, httpd.conf, nginx.conf)
  2. Plugins or PHP files (like wp-config.php, functions.php or in a plugin like Really Simple SSL)
  3. Content Delivery Network services like Cloudflare

If you want to manually remove security headers you need to know what to server software your site is running on. When using Really Simple SSL you can this information on the settings page. There will be an indicator saying “Apache” or “Nginx”.

Apache & Litespeed

If your site is using Apache you will need to look for the .htaccess file* in the root folder of your website. You can use a file manager plugin to do that. Open the file in edit mode and locate the line starting with “header set” followed by the header you want to remove and delete the entire line. Note: If you have not set the header in .htaccess yourself, this may have been done by a plugin.

You will probably need to change a setting or remove that plugin to prevent the security header from re-appearing in .htaccess. If the security header is not set in .htaccess it may be set in the httpd.conf file, on shared hosting platforms you usually do not have access to the httpd.conf file and will need to ask your web hoster to remove the security headers set in that file.

Nginx

The config files for Nginx can be in different locations. On shared hosting platforms, you usually do not have access to the nginx.conf files and will need to ask your web hoster to remove the security headers set in those files.

Plugins or PHP files

There are plugins that set headers in their own PHP files or in wp-config.php or your themes functions.php. If you cannot find where security headers were set you could check these files for lines that set those headers. Note: If you cannot find the header in the wp-config.php or functions.php, the header may be set by a plugin. You will probably need to change a setting in that plugin or remove that plugin to prevent the security header from re-appearing.

Cloudflare

There are many different ways to set security headers in Cloudflare. There are Cloudflare workers, transform rules, the certificate settings and a few more obscure ways. If you have set unwanted security headers through Cloudflare check this URL for documentation on where they could be set.

For some configurations it is possible that .htaccess is not directly writable. There will be an error in your Really Simple SSL dashboard. You can fix this issue by reading this article. If you have followed this article, reload the dashboard and the notification should be gone.

Peter Tak

Peter Tak

Related articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!