Security Headers Problem

C

carloadmin

New Member
#1
#1
I have the following in my .htaccess file:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "0; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://mydomain.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

My error log shows this:


2023-04-14 06:12:44.498247 [INFO] [33912] Rewrite directive: <IfModule mod_headers.c> bypassed.
2023-04-14 06:12:44.498250 [INFO] [33912] Invalid rewrite directive: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
2023-04-14 06:12:44.498254 [INFO] [33912] Invalid rewrite directive: Header always set X-XSS-Protection "0; mode=block"
2023-04-14 06:12:44.498258 [INFO] [33912] Invalid rewrite directive: Header always set X-Content-Type-Options "nosniff"
2023-04-14 06:12:44.498261 [INFO] [33912] Invalid rewrite directive: Header always set Referrer-Policy "strict-origin-when-cross-origin"
2023-04-14 06:12:44.498264 [INFO] [33912] Invalid rewrite directive: Header always set Expect-CT "max-age=7776000, enforce"
2023-04-14 06:12:44.498268 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Origin "*"
2023-04-14 06:12:44.498271 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
2023-04-14 06:12:44.498275 [INFO] [33912] Invalid rewrite directive: Header set Access-Control-Allow-Headers "Content-Type, Authorization"
2023-04-14 06:12:44.498279 [INFO] [33912] Invalid rewrite directive: Header set X-Content-Security-Policy "img-src *; media-src * data:;"
2023-04-14 06:12:44.498282 [INFO] [33912] Invalid rewrite directive: Header always set Content-Security-Policy "report-uri https://christ4.me"
2023-04-14 06:12:44.498285 [INFO] [33912] Invalid rewrite directive: Header always set X-Frame-Options "SAMEORIGIN"
2023-04-14 06:12:44.498289 [INFO] [33912] Invalid rewrite directive: Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
2023-04-14 06:12:44.498293 [INFO] [33912] Invalid rewrite directive: Header set X-Permitted-Cross-Domain-Policies "none"
2023-04-14 06:12:44.498296 [INFO] [33912] Rewrite directive: </IfModule> bypassed.

It all seems to be working fine but why does it show the errors in the log?
 
C

carloadmin

New Member
#4
#4
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
# Protect System Files - Security > Settings > System Tweaks > System Files
<files .htaccess>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.html>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.txt>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files wp-config.php>
<IfModule mod_litespeed.c>
Order allow,deny
Deny from all
</IfModule>
</files>

# Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
Options -Indexes

<IfModule mod_rewrite.c>
RewriteEngine On

# Protect System Files - Security > Settings > System Tweaks > System Files
RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (^|.*/)\.(git|svn)/.* - [F]

# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
</IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera\ Mini|Opera\ Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###

### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###

### marker FAVICON start ###
RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(\d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600

ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600

ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600

ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600

ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600

</IfModule>
### marker BROWSER CACHE end ###

## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE


# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
#FPD - Custom Headers Security
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://mydomain.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
#FPD - Custom Headers Security
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
 
J

JeffBloomer

New Member
#6
#6
serpent_driver said:
For OLS please use OpenLiteSpeed Forum. This forum is for LiteSpeed Enterprise only.
https://forum.openlitespeed.org/









Thank you for the link for OpenLiteSpeed Forum. If you are a school student who is worried about your essay assignments, you may go to https://www.topessaywriting.org/ which can help you complete your essay assignments on time and professionally so that you can submit your projects on time.
Click to expand...
Thank you for the link for OpenLiteSpeed Forum :)
 
Last edited:
serpent_driver

serpent_driver

Well-Known Member
#7
#7
haung38 said:
I find it slightly ironic hypocritical that they aren't sending the headers themselves, despite recommending them. They don't even have a valid SSL cert for when I manually switched to https.
Click to expand...
I think you have the wrong idea about how to run a website. LiteSpeed is primarily a provider of an alternative web server. But running a website requires more than just a web server. You either have to add the necessary information manually or expand the settings of the server control panel you are using. So if you want to criticize something, please direct your criticism to the manufacturer of your server control panel. LiteSpeed is just a web server provider.
 
You must log in or register to reply here.
Top