Htaccess file & mozilla observatory

Username (e.g. epiz_XXX) or Website URL


Error Message

I keep failing my security check when I use Mozilla Observatory even though I have addressed the main concerns in my htaccess file

Observatory report

Other Information

This is my code for my htaccess file. Perhaps the error is here somewhere:

X-XSS-Protection, X-frames, X-Content-Type

Header always set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options "nosniff" Header always add Content-Security-Policy "default-src 'self'; style=src 'specialcakesstyles.css 'eCommerceStyle.css'; img-src https://*; child-src 'none';" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

HTTPS redirect

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)${REQUEST_URI} [L,R=301] RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

Please help :slight_smile:

This is expected due to this


That makes sense but…

I have installed a SSL certificate and the installed seems fine. I’ve seen that the intermediate/chain in the actions for Observatory but thought that it was separate to say adding for example X-XSS protection

Surely I should get some “points” for addressing some of the issues like having a HTTPS redirect through my htaccess file?

I think your website does have a working HTTPS redirect, but Mozilla is unable to verify it’s existence due to this system:

If you’re not convinced, just try accessing your website without HTTPS and see if it redirects or not.


thanks so much! Yes that makes sense.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.