Security Headers Problem

C

carloadmin

New Member
#1
#1
I have the following in my .htaccess file:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "0; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://mydomain.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

My error log shows this:


2023-04-14 06:12:44.498247 [INFO] [33912] Rewrite directive: <IfModule mod_headers.c> bypassed.
2023-04-14 06:12:44.498250 [INFO] [33912] Invalid rewrite directive: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
2023-04-14 06:12:44.498254 [INFO] [33912] Invalid rewrite directive: Header always set X-XSS-Protection "0; mode=block"
2023-04-14 06:12:44.498258 [INFO] [33912] Invalid rewrite directive: Header always set X-Content-Type-Options "nosniff"
2023-04-14 06:12:44.498261 [INFO] [33912] Invalid rewrite directive: Header always set Referrer-Policy "strict-origin-when-cross-origin"
2023-04-14 06:12:44.498264 [INFO] [33912] Invalid rewrite directive: Header always set Expect-CT "max-age=7776000, enforce"
2023-04-14 06:12:44.498268 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Origin "*"
2023-04-14 06:12:44.498271 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
2023-04-14 06:12:44.498275 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Headers "Content-Type, Authorization"
2023-04-14 06:12:44.498279 [INFO] [33912] Invalid rewrite directive: Header set X-Content-Security-Policy "img-src *; media-src * data:;"
2023-04-14 06:12:44.498282 [INFO] [33912] Invalid rewrite directive: Header always set Content-Security-Policy "report-uri https://christ4.me"
2023-04-14 06:12:44.498285 [INFO] [33912] Invalid rewrite directive: Header always set X-Frame-Options "SAMEORIGIN"
2023-04-14 06:12:44.498289 [INFO] [33912] Invalid rewrite directive: Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
2023-04-14 06:12:44.498293 [INFO] [33912] Invalid rewrite directive: Header set X-Permitted-Cross-Domain-Policies "none"
2023-04-14 06:12:44.498296 [INFO] [33912] Rewrite directive: </IfModule> bypassed.

It all seems to be working fine but why does it show the errors in the log?
 
C

carloadmin

New Member
#4
#4
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
# Protect System Files - Security > Settings > System Tweaks > System Files
<files .htaccess>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.html>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.txt>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files wp-config.php>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>

# Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
Options -Indexes

<IfModule mod_rewrite.c>
RewriteEngine On

# Protect System Files - Security > Settings > System Tweaks > System Files
RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (^|.*/)\.(git|svn)/.* - [F]

# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
</IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera\ Mini|Opera\ Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###

### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###

### marker FAVICON start ###
RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(\d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600

ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600

ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600

ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600

ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600

</IfModule>
### marker BROWSER CACHE end ###

## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE


# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
#FPD - Custom Headers Security
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://mydomain.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
#FPD - Custom Headers Security
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
 
J

JeffBloomer

New Member
#6
#6
serpent_driver said:
For OLS please use OpenLiteSpeed Forum. This forum is for LiteSpeed Enterprise only.
https://forum.openlitespeed.org/









Thank you for the link for OpenLiteSpeed Forum. If you are a school student who is worried about your essay assignments, you may go to https://www.topessaywriting.org/ which can help you complete your essay assignments on time and professionally so that you can submit your projects on time.
Click to expand...
Thank you for the link for OpenLiteSpeed Forum :)
 
Last edited:
You must log in or register to reply here.
Top