Website überprüfen mit https://observatory.mozilla.org/ oder https://www.experte.de/security-check
Beispiele:
<IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set Referrer-Policy "strict-origin" #optional, funktioniert nicht mit Warenkorb Header set Content-Security-Policy "default-src 'self'; font-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; " </IfModule>
if (!empty($_SERVER['HTTPS'])) { function en_hsts_header($headers) { $headers["Strict-Transport-Security"] = "max-age=31536000"; $headers["X-Frame-Options"] = "SAMEORIGIN"; $headers["X-Content-Type-Options"] = "nosniff"; $headers["X-XSS-Protection"] = "1; mode=block"; $headers["Referrer-Policy"] = "strict-origin"; $headers["Content-Security-Policy"] = "default-src 'self'; object-src 'none'; frame-ancestors 'self'"; return $headers; } add_filter('wp_headers', 'en_hsts_header'); }
s.a. andere sicherheitsrelevante Einstellungen in der functions.php und überflüssige Tags im WordPress-HTML-HEAD entfernen
config.additionalHeaders { 10.header = strict-transport-security:max-age=31536000 20.header = X-Frame-Options:SAMEORIGIN 30.header = X-Content-Type-Options: nosniff 40.header = X-Xss-Protection: 1; mode=block 50.header = Referrer-Policy:strict-origin 60.header = Content-Security-Policy: default-src 'self'; font-src 'self'; object-src 'none'; form-action 'none' }