Below we will discuss the challenges and solutions of setting security headers in a WordPress environment.
Methods for setting http security headers
There are different ways to set security headers on both Apache and Nginx. Usually, security headers on Apache are set in the .htaccess file in the root of your WordPress installation, for Nginx servers they are usually set in the nginx.conf file. Some servers combine Nginx and Apache so they can be set in either of those files.
If you are not managing your own server but are using a web hosting service for your WordPress site you may not be able to edit those files. If your web hosting service is running Apache, most hosters will allow you to edit the .htaccess file but not all hosters will support security headers in .htaccess. If your web hosting service is running Nginx, most hosters will not allow you to edit the nginx.conf file because you could create problems for the entire server if you make a mistake.
Another option is to set the security headers in PHP. This can always be controlled from within WordPress and has been an option in Really Simple SSL Pro for a while now. The downside of this method is that if you use a caching plugin like WP Rocket, WP Fastest Cache, W3 Total Cache, etc. this will not be reliable.
A new solution
Really Simple SSL Pro has implemented a new way of setting http headers in PHP using an advanced-headers.php file. This solution works in almost all configurations, even with caching plugins active*.
*Only the WP Rocket caching plugin requires a custom setting to make this work, but we will even take care of that for you.
Older versions of Really Simple SSL Pro used to default to setting security headers in .htaccess but from version 5.5 we default to the advanced-header.php method. We will not change the method for setting security headers for sites that were already using the .htaccess or nginx.conf method before though. If you installed Really Simple SSL Pro before version 5.5 and were using the .htaccess or nginx.conf method you will need to change the setting to advanced-headers.php manually.
Possible remaining issues
On many systems, a few security headers will already be set even without Really Simple SSL Pro. Unfortunately, in many cases, these headers are set incorrectly or with non-recommended values.
Setting headers multiple times may result in duplicate or conflicting headers that will effectively render them useless. To prevent this Really Simple SSL will detect any security headers already set by other methods and check if they are set correctly and with a recommended value. If the already set security headers are set with the correct values you are fine, Really Simple SSL Pro will detect them, will show them as being enabled and not set a duplicate header.
If we find an incorrectly set header or a header that is not set according to our recommendations a notice will be displayed in the Really Simple SSL dashboard.
If you get one of these notices we highly recommend removing the security headers from all other locations and to let Really Simple SSL Pro handle them for you. Check this article on how to find where incorrect or non-recommended security headers might have been set.