'Why can't Mozilla observatory detect the http security headers on my website anymore?
A few months ago, I added security headers to all of the pages on my website. The Mozilla Observatory detected the changes then and the score increased to B+. Though I haven't changed a thing, it now tells me there are none and I get a F score. That being said, both in Chrome and in Firefox, I do see the headers. What's wrong ? Any help is appreciated.
Here are the response headers :
cache-control: no-store, no-cache, must-revalidate
content-encoding: gzip
content-language: fr
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src https://mydomain/config.js 'unsafe-inline'; form-action 'self'; frame-ancestors 'none';
content-type: text/html; charset=UTF-8
date: Sun, 17 Oct 2021 11:41:27 GMT
expect-ct: enforce,max-age=2592000
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: strict-origin
server: Apache
strict-transport-security: max-age=15768000 ; includeSubDomains ;
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1;mode=block
Edit : Here is the result of the analysis Analysis returned by the Mozilla observatory
Solution 1:[1]
I was having the same problem with X-XSS in Mozilla Observatory and found this:
<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
Then, the Observatory validated properly.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | J. Pelaez |