SSL cert and .htaccess changes not recognised

My website URL is:
kingleo.org

What I’m seeing is:

I’m using this software:

Additional information:

Problem 1: Free hosting was supposed to provide free SSL. I did not get one.
So, I have uploaded a new SSL certificate which can be verified on cPanel (Private key and Cert in text areas). This cert is valid for 3 months. However, when I do SSL check, it shows me a free mismatched certificate valid for over 11 years with the server type as nginx instead of Apache.

Problem 2: I have added security headers in .htaccess file. However, on doing securityheaders.io test those are not reflected. It still shows that these headers are missing.

I have tried without ‘RewriteEngine On’ for ‘mod_headers.c’ with no luck.

BEGIN WordPress

RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] RewriteEngine On Header set X-XSS-Protection "1; mode=block" Header set Referrer-Policy: Origin-when-cross-origin Header always append X-Frame-Options SAMEORIGIN

END WordPress

I can see you got the free SSL. But note that the SSL we provide by default is a self signed certificate only. If you want a green lock, you will have to bring an SSL certificate yourself. Note that this is an improvement over other free hosting providers, who sometimes do not provide the option to use any sort of SSL at all.

As to why the SSL certificate you uploaded is not applied, I don’t know, but I’m going to look into that right now.

This is likely because securityheaders.io is not measuring your actual website, but is measuring the security page presented before browsers can access your website. So probably the security headers are working fine, even though securityheaders.io cannot read them itself.

You can learn more about the security page here:

https://infinityfree.net/support/javascript-error-using-api-or-mobile-android-app/

The SSL certificate seems to be working now.

However, I am concerned about the security headers. Will I be able to test for security headers using sites like securityheader.io if I upgrade my account?

With iFastNet premium plan, you don’t get the security system against bots and you can verify the security headers using that service you linked.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.