Dear Sir,
Good day to you.
I am experiencing an issue related to missing security headers on my website that was detected when running a crawl using Screaming Frog. The screenshot is attached below:
📸 Screenshot: https://snipboard.io/fh4ZaC.jpg
In order to resolve these warnings, I added the following security headers to my .htaccess file:
<IfModule mod_headers.c>
# Force Security Headers on Everything including Images
<FilesMatch ".(php|html|htm|rtf|rtx|txt|xsd|xsl|xml|css|js|json|rss|atom|jpg|jpeg|png|gif|webp|avif|svg|ico|otf|ttf|woff|woff2)$">
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</FilesMatch>
</IfModule>However, even after applying the code, Screaming Frog still reports the same five issues. For testing, I switched Hostinger CDN to Development Mode, and all issues were solved. Once I turned the CDN back ON, the security header issues returned.
Hostinger support informed me that custom headers cannot be applied while using their CDN and recommended using Cloudflare or another third-party service to manage custom security headers.
I would like to ask:
Is there any configuration within XStore or theme options that affects security headers while using CDN?
Do you have any recommended method to apply custom security headers while keeping CDN enabled?
Does XStore override or modify default header behavior in any way?
Your guidance will be very helpful.
Thank you.
