Hi. I also keep getting this message. As if the set header values are not picked up.
In the /etc/httpd/sites-enabled/host_ssl.conf I’ve put this between the “VirtualHost” tag:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
In the .htaccess file looks like:
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
SetEnv modHeadersAvailable true
Thus far I’m unable to get rid of the message under Security & setup warnings.
I’m using Centos7.5 with webstatic php71-fpm and mariadb 10.3.
The headers module appears to be loaded when issuing the command httpd -M.
... TRUNCATED ....
.... TRUNCATED ....
I’m pretty much out of options here. Is there someone here to help point into the right direction?