security score

how to make the security score get an A on the webpagetest
my website

If you click on the security score, you can see more info, or just read more here.

It’s about setting some headers that improve the security of your site by controlling how and from where resources are loaded. You probably need to use a htaccess file.

The exact settings depend on your setup and configuration. For example, if you want to set a Content Security Policy and you use third-party resources, you need to add those domains to your CSP. You should read more about each header before you attempt to implement them.

HTTP Strict Transport Security (HSTS)
HSTS: This is a header to only allow https connections. This ensures that no resources are loaded via the unencrypted HTTP protocol.

Content Security Policy (CSP)
CSP specifies which domains resources can be loaded from, to ensure there are no surprises. It needs to be updated any time you add a new external resource.

Blocks requests of files that don’t match the file type, for example requesting .CSS as anything other than a style sheet. This prevents spoofed executables/code from being executed.

Attempts to block ongoing cross-site scripting attacks. Only needed if no CSP is set.

Blocks external websites from embedding your website in an iframe. This prevents clickjacking and spoofing.

I also recommend this security test:

Hi, Have you edited .htaccess before? You can easily achieve a better grade by adding lines like below. This will give you an A+ BUT make sure the settings for each line are what you want for your domain.

Header set X-XSS-Protection “1; mode=block”
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
Header set Referrer-Policy “no-referrer-when-downgrade”
Header set Permissions-Policy geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=(), microphone=()
Header set Content-Security-Policy frame-ancestors ‘self’
Header set X-Permitted-Cross-Domain-Policies “none”
Header set Expect-CT enforce, max-age=31536000

Hope this helps.


Joined up on here purely to thank @TamarSolutions for their .htaccess edit mentioned above.

Never been a fan of the perpetual ‘F’ in the security settings, and the .htaccess edit above indeed turns the ‘F’ into an ‘A+’.

1 Like