You have an issue with your site or webserver configuration. No headers is returned.
Also it seems you have another security application running, so make sure it does not remove the headers but forward them as expected:
$ curl https://advena.me/
<h1>Security incident detected</h1><p>Your request was blocked. Please try again later (or don't).</p>
Can you try the following code:
<?php
header('Content-Type: text/plain');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin' );
1. Save it to a file named ‘header.php’.
2. Over FTP, upload the file into your document root folder.
3. Go to securityheaders.com, and enter https://advena.me/header.php as the URL, so that it will test that script only.
Does it work?
Done and that one works. But what about the rest of the website?
That’s odd, there must be a configuration issue somewhere.
- Do you see any error in the NinjaFirewall “Overview” page?
- Do you see any error in the “Firewall Policies > Advanced Policies” section?
- Are you running the firewall in “Full WAF” or “WordPress WAF” mode ? (You can see which mode you are using in the “Overview” page.)
Do you have a caching plugin installed? It would serve the cached index page, but without the security headers.
I have and disabled it. The results are still the same. :/
-
This reply was modified 7 years ago by
tanckom.
I think it has to come from the caching plugin: check your .htaccess. Even if you disabled it, it may have left some rules inside your .htaccess.
Well thanks for the hint, it looked like NinjaFirewall didn’t have access to my .htaccess file and I manually injected the
# BEGIN NinjaFirewall
php_value auto_prepend_file …/wp-content/nfwlog/ninjafirewall.php
# END NinjaFirewall
Script. You sir are a treat, keep going the good work!
