WordPress

WordPress Site Health Security Headers Issue

by

Site Health Security Error

Security headers can be a frequently failed item in WordPress Site Health. The error in Site Health is:

Not all essential security headers are installed
Not all essential security headers are installed

All of these headers can be set at CloudFlare:

  • Upgrade Insecure Requests
  • X-XSS protection
  • X-Content Type Options
  • Referrer-Policy
  • Permissions-Policy
  • HTTP Strict Transport Security

Review site headers using curl

To see what headers are being returned from a website use the following command: curl -I foo.com

curl is a command-line tool for making HTTP/HTTPS requests. The request defaults to https.

  • The -I parameter tells curl to:
  • Send an HTTP HEAD request instead of GET
  • Return headers only
  • Skip downloading the response body (HTML, JSON, etc.)
curl command
curl command

Cloudflare – Add a Response Header Transform Rule

  • Log in to Cloudflare and select a domain.
  • Go to Rules → Overview.
  • Click Create rule and choose Response Header Transform Rules
  • Give the rule a clear name. Example: Security Headers (WordPress Site Health)
  • Set All incoming requests to Apply this rule to all requests.
  • Under Then, choose Set static and enter the Header name and Value you want to add or modify.
  • Click Set new header to add additional headers if needed
  • Click Deploy to activate the rule.
Response Header Transform Rule
Response Header Transform Rule

Recommended Header Name and Value Settings

Header name Value
Set static Content-Security-Policy upgrade-insecure-requests
Set static Permissions-Policy geolocation=(), microphone=(), camera=()
Set static Strict-Transport-Security max-age=31536000; includeSubDomains; preload
Set static X-Content-Type-Options nosniff
Set static X-XSS-Protection 1; mode=block
Set static strict-origin-when-cross-origin Referrer-Policy

Settings Explanation

  • Content-Security-Policy: upgrade-insecure-requests — Automatically upgrades all HTTP resource requests to HTTPS to prevent mixed-content issues and improve transport security.
  • Permissions-Policy: geolocation=(), microphone=(), camera=() — Explicitly disables access to geolocation, microphone, and camera APIs for the site and all embedded content.
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload — Forces browsers to use HTTPS only for one year for the site and all subdomains and signals eligibility for browser HSTS preload lists. (Note: the header name should be Strict-Transport-Security*.)*
  • X-Content-Type-Options: nosniff — Prevents browsers from MIME-sniffing responses and forces them to respect the declared Content-Type.
  • X-XSS-Protection: 1; mode=block — Enables the browser’s legacy XSS filter and blocks rendering of the page if an attack is detected.
  • Referrer-Policy: strict-origin-when-cross-origin — Sends the full referrer URL for same-origin requests but only the origin for cross-origin requests, and nothing when downgrading from HTTPS to HTTP.⠀

Confirm Response Header Transform Rule

To confirm the new headers are being returned use the curl command from earlier:

curl -I foo.com