Htaccess wont load

I have the following code placed as a .htaccess in my htdocs/

But when I check the security of my website (with tools like, it shows that none of the Security-Headers works. I have also tried loading a php-file containing the headers which also didn’t work. Yet in general the htaccess works (tested by referring to other websites). It’s just the headers that won’t load.

AddType 'text/html; charset=UTF-8' html

#php_value auto_prepend_file /var/www/html/headers.php

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# HSTS verwenden
# Optional: "includeSubDomains"
Header set Strict-Transport-Security "max-age=31556926; includeSubDomains"

Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self'; object-src   'self'; script-src 'self'; style-src 'self';"

# Verhindert mime based attacks, nur IE und Chrome
<IfModule mod_headers.c>
  # prevent mime based attacks like drive-by download attacks, IE and Chrome
  Header set X-Content-Type-Options "nosniff"

# Aktiviert XSS Praeventions-/Filter-Tools
# Optional: mode=block
Header set X-XSS-Protection "1; mode=block"

# Begrenzung der frame/iframe Darstellung
Header always append X-Frame-Options SAMEORIGIN

# Cookies nur ueber SSL and kein Javascript Zugriff
# Optional: Expires, Max-Age, Path, Domain
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"

# Kein PHP und System-Version ausgeben
Header unset X-Powered-By

# Download / Lade Inhalte nur von Seiten die explizit erlaubt sind
# Beispiel das alles von der eigenen Domain erlaubt allerdings keinerlei Externas:
Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

# Referrer Policy
Header set Referrer-Policy "origin-when-cross-origin"

Header set Referrer-Policy "no-referrer"

So, does this mean my headers work?

No, because it’s heading to security system first, which doesn’t have these headers.

Only a browser client can pass it in regular window and not an Iframe.


Ok I think I can live without custom headers :smile:, thanks for the fast answer

AFAIK custom headers do work, but an external automatic scanner won’t be able to see them because of the security system which BayoDino linked an article about.

If you open your website in your web browser and then check the Network tab in the developer console, then you should see the requests to your website, including the response headers. You should be able to see your custom headers there.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.