Really Simple SSL

How to set Security Headers on Apache and NGINX

Below we will discuss the different ways to set security headers on both Apache and NGINX, and why caching conflicts with security headers set with PHP. Really Simple SSL will choose the correct setting by default, but it’s always a good idea to know what the different settings are, and adjust accordingly if needed.

Security headers with Apache, NGINX, and caching variables

These tables show the correct possible settings for your security headers, below is an example of how to fix an incorrect configuration.

Caching not Enabled

Advanced Headers PossiblePossible

Caching is Enabled

Advanced HeadersPossiblePossible

* For example with plugins like WP Rocket, WP Fastest Cache, W3 Total Cache, etc.

Example when to change configurations

You need to evaluate your settings when you do not get both green bullet points. It will signify what the issue is, and you should adjust based on the above tables. In this example we have set security headers with PHP, but installed WP Fastest Cache afterward and you will see a red bullet point.

To fix this issue we look at the table and find only .htaccess will work with caching enabled, and Apache. So we change to .htaccess.

A new error occurs; “.htaccess is not writable”

For some configurations it is possible .htaccess is not directly writable. There will be an error in your Really Simple SSL Pro dashboard. You can fix this issue by reading this article. If you have followed this article, reload the dashboard and the notification should be gone.

Security headers set in .htaccess, but not detected by Security Headers verification tools

If you have set the security headers with .htaccess on an Apache server, but the headers aren’t passed (e.g. a security headers tool doesn’t see them), most likely PHP is being run as FastCGI module. If that is the case you can set the headers with PHP.

To do this, go to settings/ssl/general. Set the option “How to set the security headers” to “set with PHP”. A second option to set the headers in this case is to ask your hosting company to add them to the Apache config file.

Setting security headers in the nginx.conf file

If you’re setting security headers in the NGINX configuration file, you will need to edit the file yourself. You will get a notification, and needed rules in the Really Simple SSL Pro dashboard, for example:

Aert Hulsebos

Aert Hulsebos

Related articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!