Not all recommended hearders are installed

Hi everyone, I’ve got this message from my site health check

Your .htaccess file does not contain all recommended security headers.

  • HTTP Strict Transport Security
  • Content Security Policy: Upgrade Insecure Requests
  • X-XSS protection
  • X-Content Type Options
  • Referrer-Policy
  • Expect-CT

Now I went through the link provided to the SSL page, I need to edit htaccess file and copy-paste these codes in the HTML bottom page between and # END WordPress , where it ends the file but once I save it I get the following error ( Internal server error) Am I missing something?

@Fabrix hi, I used wp for very long time, recently I switched to bash (basically I write my blog as markdown files and then bash command converts it to html static pages - so no database need it on my end and I can carry my blog on localhost or usb stick or cd… its better for me, for two things - backup and deployment to other server not mention the speed)

anyway here are those points you reflect:

  • HTTP Strict Transport Security - this have nothing really with wp it self
  • Content Security Policy: Upgrade Insecure Requests - again nothing to do with wp it self - wp just sends your text (code) out there as you would put it out so in 2021 just use everything linked with https:
  • X-XSS protection - this have really nothing to do with wp core as it self - however if you use bad coded themes or plugins, it can give you head ache, cleary said, stay away from badly coded themes and plugins and you would be fine.
  • X-Content Type Options - nothing to do with wp, most of the time I see this recommendation, I would not contact ‘checker’ any more as this is normally invalid and most scammers use this as well. Its apache who serve files - so pdf or php etc… again nothing to do with wp.
  • Referrer-Policy - well yes google is changing from april the 1st and you can test your page about it with google = PageSpeed Insights this will tell you how and what you need to change to follow this for better seo but its not policy, it should be the rule for you.
  • Expect-CT = ssl things, well I guess you use ssl from lets encrypt, so you should be very fine,

now the point .htaccess file does not support html. One big thumb of rule, never blindly follow advices from ‘health check’ websites, always make backup of the files you edit before you edit. Make sure if your site is working - that you take health check as an advice not you must do and 500 error you are getting from your browser means miss configuration - possibly not very good advice they gave you - as usually they do.


if you try to use web secure and fast, most of the times wp does this for you if you will stay up to date and you dont need cr*p around. If your site is slow, think about your hosting provider location, it would be bad if you are in USA and your hosting is in EU and you targeting USA country - it would be slow even via fibre optics as USA need to filter some stuff before it reach end user and its always like this (roughly 3 to 6 seconds no matter what cdn you use), also consider where this test server is located? USA, EU, Home or other country?

  • there you have it. You ain’t missing anything - just dont try to fix something which is not broken, if you want to make it better follow the code - I assume you understand what it does and how it does and lastly don’t follow those recommended settings websites blindly - test the settings, review them your self and if they do benefit you its fine, but 99% of them will give you cr*p advice. - have nice day.