缺少标头安全报告.htaccess

问题描述 投票:0回答:1

我正在尝试调整安全标头。服务器是阿帕奇。该网站基于 wordpress。我已经修改了这个文件十次,我已经将它上传到服务器十次了,但我仍然没有弄清楚我做错了什么。

有人可以帮助我并拯救我吗?

下面是完整的.htacess 文件。

我也在网站上使用Litespeed Cache,我已经清理了二十次缓存,但没有任何反应。

当我扫描 https://securityheaders.com/ 上的网站时,生成的安全报告摘要始终为 D。

完整内容: .htacess

PS:我重复了.htaccess文件中的标题行,确实我没有做错什么,但似乎仍然有问题。有什么帮助或疑问吗?

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###

### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera\ Mini|Opera\ Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###

### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###

### marker FAVICON start ###
RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(\d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600

ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600

ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600

ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600

ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600

</IfModule>
### marker BROWSER CACHE end ###

## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE

# SECURITY HEADERS - INSERTION 13:13 26.03.2024
## 01° BEGIN
## 02° BEGIN
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
</IfModule>
## 03° BEGIN
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
</IfModule>
## 04° BEGIN
<IfModule mod_headers.c>
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>
## 05° BEGIN
<IfModule mod_headers.c>
    Header always set Expert-CT "max-age=777600, enforce"
</IfModule>
## 06° BEGIN
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
</IfModule>
## 07° BEGIN
<IfModule mod_headers.c>
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
## 08° BEGIN
<IfModule mod_headers.c>
    Header always set X-Frame-Options: "SAMEORIGIN"
</IfModule>
## 09° BEGIN
<IfModule mod_headers.c>
    Header always set Permissions-Policy: "no-referrer-when-downgrade"
</IfModule>
# END SECURITY HEADERS

# SECURITY H INSERTION 13:13 26.03.2024
    Header always set Strict-Transport-Security: "max-age=31536000;includeSubDomains" env=HTTPS
    Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src 'self' data: blob: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com; script-src-elem * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; script-src-attr * 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval'; style-src * 'self' data: 'unsafe-inline' https://fonts.googleapis.com; style-src-elem * 'self' data: 'unsafe-inline'; style-src-attr * 'self' data: 'unsafe-inline'; img-src * 'self' data: https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com; font-src * 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; media-src 'self'; object-src 'none'; prefetch-src 'self'; child-src 'none'; frame-src 'self' *.google.com; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expert-CT "max-age=777600, enforce"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Frame-Options: "SAMEORIGIN"
    Header always set Permissions-Policy: "no-referrer-when-downgrade"
# END SECURITY H

# START IONOS Performance Directory Index
# IONOS Directory Index v1
<IfModule mod_dir.c>
    DirectoryIndex index.php
</IfModule>
# END IONOS Performance Directory Index

# START IONOS Performance Cache Expiration
# IONOS Cache Expiration v1
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css A2419200
    ExpiresByType text/x-component A2419200
    ExpiresByType application/x-javascript A2419200
    ExpiresByType application/javascript A2419200
    ExpiresByType text/javascript A2419200
    ExpiresByType text/x-js A2419200
    ExpiresByType text/html A3600
    ExpiresByType text/richtext A3600
    ExpiresByType image/svg+xml A3600
    ExpiresByType text/plain A3600
    ExpiresByType text/xsd A3600
    ExpiresByType text/xsl A3600
    ExpiresByType text/xml A3600
    ExpiresByType video/asf A2419200
    ExpiresByType video/avi A2419200
    ExpiresByType image/bmp A2419200
    ExpiresByType application/java A2419200
    ExpiresByType video/divx A2419200
    ExpiresByType application/msword A2419200
    ExpiresByType application/vnd.ms-fontobject A2419200
    ExpiresByType application/x-msdownload A2419200
    ExpiresByType image/gif A2419200
    ExpiresByType application/x-gzip A2419200
    ExpiresByType image/x-icon A2419200
    ExpiresByType image/jpeg A2419200
    ExpiresByType application/json A2419200
    ExpiresByType application/vnd.ms-access A2419200
    ExpiresByType audio/midi A2419200
    ExpiresByType video/quicktime A2419200
    ExpiresByType audio/mpeg A2419200
    ExpiresByType video/mp4 A2419200
    ExpiresByType video/mpeg A2419200
    ExpiresByType application/vnd.ms-project A2419200
    ExpiresByType application/x-font-otf A2419200
    ExpiresByType application/vnd.ms-opentype A2419200
    ExpiresByType application/vnd.oasis.opendocument.database A2419200
    ExpiresByType application/vnd.oasis.opendocument.chart A2419200
    ExpiresByType application/vnd.oasis.opendocument.formula A2419200
    ExpiresByType application/vnd.oasis.opendocument.graphics A2419200
    ExpiresByType application/vnd.oasis.opendocument.presentation A2419200
    ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2419200
    ExpiresByType application/vnd.oasis.opendocument.text A2419200
    ExpiresByType audio/ogg A2419200
    ExpiresByType application/pdf A2419200
    ExpiresByType image/png A2419200
    ExpiresByType application/vnd.ms-powerpoint A2419200
    ExpiresByType audio/x-realaudio A2419200
    ExpiresByType image/svg+xml A2419200
    ExpiresByType application/x-shockwave-flash A2419200
    ExpiresByType application/x-tar A2419200
    ExpiresByType image/tiff A2419200
    ExpiresByType application/x-font-ttf A2419200
    ExpiresByType application/vnd.ms-opentype A2419200
    ExpiresByType audio/wav A2419200
    ExpiresByType audio/wma A2419200
    ExpiresByType application/vnd.ms-write A2419200
    ExpiresByType application/font-woff A2419200
    ExpiresByType application/vnd.ms-excel A2419200
    ExpiresByType application/zip A2419200
</IfModule>
# END IONOS Performance Cache Expiration

# START IONOS Performance Deflate
# IONOS Deflate v1
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/cache-manifest
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/vcard
    AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc
    AddOutputFilterByType DEFLATE text/vtt
    AddOutputFilterByType DEFLATE text/x-component
    AddOutputFilterByType DEFLATE text/x-cross-domain-policy
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/activity+json
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/ld+json
    AddOutputFilterByType DEFLATE application/atom+xml
    AddOutputFilterByType DEFLATE application/manifest+json
    AddOutputFilterByType DEFLATE application/rdf+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/schema+json
    AddOutputFilterByType DEFLATE application/vnd.geo+json
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE font/eot
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE image/bmp
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
    AddOutputFilterByType DEFLATE image/x-icon
</IfModule>
# END IONOS Performance Deflate

# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen „BEGIN WordPress“ und „END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter geändert werden.
# Alle Änderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
wordpress apache .htaccess caching content-security-policy
1个回答
0
投票

我在 WordPress 网站上遇到了同样的问题。由于某些服务器设置,.htaccess 文件有时会被忽略。我使用“重定向”插件添加了安全标头。 “站点”选项卡允许您设置它们。但请注意,缓存插件可能会干扰标头,并且不会显示缓存响应。

© www.soinside.com 2019 - 2024. All rights reserved.