Comments on: WordPress Security Headers – A Simple Guide to Making Your Website Safer https://www.plesk.com/blog/various/wordpress-security-headers/ Build, Secure and Run Apps and Websites Mon, 29 Apr 2024 14:16:44 +0000 hourly 1 By: V. https://www.plesk.com/blog/various/wordpress-security-headers/#comment-577016 Mon, 20 Feb 2023 12:52:13 +0000 https://www.plesk.com/?p=44676#comment-577016 Thanks for the reply Louis 🙂

]]> By: Louis Vanfraechem https://www.plesk.com/blog/various/wordpress-security-headers/#comment-575355 Fri, 17 Feb 2023 08:50:16 +0000 https://www.plesk.com/?p=44676#comment-575355 In reply to V..

Hi there,

The standard requires sending this header always, except when the request is made to plain HTTP. This means an HSTS Host returns the “Strict-Transport-Security” HTTP response header field in its HTTP response messages sent over secure transport. An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. ‘Always’ means that the header will be sent even if the HTTP status code is 4xx, or 5xx. So arguably, it should be set to always in the HTTPS blocks and not be set in HTTP blocks at all. Hopefully, that can help. 🙂

]]> By: V. https://www.plesk.com/blog/various/wordpress-security-headers/#comment-570888 Thu, 09 Feb 2023 14:57:51 +0000 https://www.plesk.com/?p=44676#comment-570888 Hi Elvis!

Is ‘always’ set correct?
Sometimes it is used, sometimes it is not used.
For example used on Apache but not on NGINX:

Apache

Header always set Strict-Transport-Security “max-age=10886400; includeSubDomains”

NGINX

add_header Strict-Transport-Security max-age=10886400;

]]> By: raghab https://www.plesk.com/blog/various/wordpress-security-headers/#comment-347089 Mon, 14 Feb 2022 19:54:48 +0000 https://www.plesk.com/?p=44676#comment-347089 Thank you!

]]>