user13990166
Reputation:
.htaccess security headers not appearing in requests
I recently did a site health test and found none of my security headers are being sent. Here is the .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://enigmapr0ject.live/$1 [R,L]
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
What am I doing wrong?
Ubuntu 20.04 VPS with latest version of LAMP via APT.
Edit: Changed the code, and the redirect from HTTP to HTTPS works perfectly, but the headers are not present on any requests.
Upvotes: 0
Views: 484
Answers (1)
user13990166
Reputation:
Turns out the AllowOverride was set to None in /etc/apache2/apache2.conf...
Upvotes: 1
Related Questions
- enable Apache http Authorization header
- Missing authorization headers with Apache
- .htaccess headers being ignored by Apache
- .htaccess Variables Issue Unrecognized header format %
- HSTS header (through .htaccess) not being served on Wordpress pages
- How to add HTTP security headers?
- Apache server not allowing Authorization Header in http request
- How do I implement HTTP headers into my website?
- Apache "destroying" Authorization header
- HTML Header Content Security Policy not reporting to file