'Why can't Mozilla observatory detect the http security headers on my website anymore?

A few months ago, I added security headers to all of the pages on my website. The Mozilla Observatory detected the changes then and the score increased to B+. Though I haven't changed a thing, it now tells me there are none and I get a F score. That being said, both in Chrome and in Firefox, I do see the headers. What's wrong ? Any help is appreciated.

Here are the response headers :

cache-control: no-store, no-cache, must-revalidate
content-encoding: gzip
content-language: fr
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src https://mydomain/config.js 'unsafe-inline'; form-action 'self'; frame-ancestors 'none';
content-type: text/html; charset=UTF-8
date: Sun, 17 Oct 2021 11:41:27 GMT
expect-ct: enforce,max-age=2592000
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: strict-origin
server: Apache
strict-transport-security: max-age=15768000 ; includeSubDomains ;
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1;mode=block

Edit : Here is the result of the analysis Analysis returned by the Mozilla observatory



Solution 1:[1]

I was having the same problem with X-XSS in Mozilla Observatory and found this:

<IfModule mod_headers.c>
  Header always set X-XSS-Protection "1; mode=block"
</IfModule>

Then, the Observatory validated properly.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 J. Pelaez