Site Health Security Error
Security headers can be a frequently failed item in WordPress Site Health. The error in Site Health is:
All of these headers can be set at CloudFlare:
- Upgrade Insecure Requests
- X-XSS protection
- X-Content Type Options
- Referrer-Policy
- Permissions-Policy
- HTTP Strict Transport Security
Review site headers using curl
To see what headers are being returned from a website use the following command: curl -I foo.com
curl is a command-line tool for making HTTP/HTTPS requests. The request defaults to https.
- The
-Iparameter tells curl to: - Send an HTTP HEAD request instead of GET
- Return headers only
- Skip downloading the response body (HTML, JSON, etc.)
Cloudflare – Add a Response Header Transform Rule
- Log in to Cloudflare and select a domain.
- Go to
Rules → Overview. - Click Create rule and choose
Response Header Transform Rules - Give the rule a clear name. Example:
Security Headers (WordPress Site Health) - Set
All incoming requeststoApply this rule to all requests. - Under Then, choose Set static and enter the Header name and Value you want to add or modify.
- Click
Set new headerto add additional headers if needed - Click
Deployto activate the rule.
Recommended Header Name and Value Settings
| Header name | Value | |
|---|---|---|
| Set static | Content-Security-Policy | upgrade-insecure-requests |
| Set static | Permissions-Policy | geolocation=(), microphone=(), camera=() |
| Set static | Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
| Set static | X-Content-Type-Options | nosniff |
| Set static | X-XSS-Protection | 1; mode=block |
| Set static | strict-origin-when-cross-origin | Referrer-Policy |
Settings Explanation
- Content-Security-Policy: upgrade-insecure-requests — Automatically upgrades all HTTP resource requests to HTTPS to prevent mixed-content issues and improve transport security.
- Permissions-Policy: geolocation=(), microphone=(), camera=() — Explicitly disables access to geolocation, microphone, and camera APIs for the site and all embedded content.
- Strict-Transport-Security: max-age=31536000; includeSubDomains; preload — Forces browsers to use HTTPS only for one year for the site and all subdomains and signals eligibility for browser HSTS preload lists. (Note: the header name should be Strict-Transport-Security*.)*
- X-Content-Type-Options: nosniff — Prevents browsers from MIME-sniffing responses and forces them to respect the declared Content-Type.
- X-XSS-Protection: 1; mode=block — Enables the browser’s legacy XSS filter and blocks rendering of the page if an attack is detected.
- Referrer-Policy: strict-origin-when-cross-origin — Sends the full referrer URL for same-origin requests but only the origin for cross-origin requests, and nothing when downgrading from HTTPS to HTTP.⠀
Confirm Response Header Transform Rule
To confirm the new headers are being returned use the curl command from earlier:
curl -I foo.com