Plugin appears not to be working

djlawrie

I installed and activated the Headers Security Advanced & HSTS WP plugin. I don't recall seeing anything about choosing Beginner or Advanced though I am a rank beginner. After opening the settings page I made the quick selection "Strict Transport Security (HSTS)." I accepted the defaults and selected Save Changes. Banner near top of page says something like Changes Saved. I also checked the boxes for Include Subdomains and Preload and Saved Changes successfully.I looked at the .htaccess file in Public_HTML and found a Headers Security Advanced & HSTS WP 5.2.5 section but the settings appear to be contradictory. For example:
Header set Content-Security-Policy "upgrade-insecure-requests; report-to /public_html/wp-content/csp-reports; report-uri /public_html/wp-content/csp-reports;"
Header set Content-Security-Policy-Report-Only "upgrade-insecure-requests; report-to /public_html/wp-content/csp-reports; report-uri /public_html/wp-content/csp-reports;"
In addition, the Include Subdomains and Preload settings are present: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

When I ran a scan at the suggested site, SecurityHeaders.com, the grade was F! Clearly, there's something I've missed. Help would be most appreciated. After my initial submission of this help request, I cleared caches with no effect on the SecurityHeaders.com grade of F.

Here's the entire entry in .htaccess:

BEGIN Headers Security Advanced & HSTS WP 5.2.5

<IfModule mod_headers.c>
Header set Access-Control-Allow-Methods "GET,POST"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set Content-Security-Policy "upgrade-insecure-requests; report-to /public_html/wp-content/csp-reports; report-uri /public_html/wp-content/csp-reports;"
Header set Content-Security-Policy-Report-Only "upgrade-insecure-requests; report-to /public_html/wp-content/csp-reports; report-uri /public_html/wp-content/csp-reports;"
Header set Cross-Origin-Embedder-Policy "unsafe-none; report-to='default'"
Header set Cross-Origin-Embedder-Policy-Report-Only "unsafe-none; report-to='default'"
Header set Cross-Origin-Opener-Policy "unsafe-none"
Header set Cross-Origin-Opener-Policy-Report-Only "unsafe-none; report-to='default'"
Header set Cross-Origin-Resource-Policy "cross-origin"
Header set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=, picture-in-picture=, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Security-Policy "default-src 'self'; img-src *; media-src * data:;"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

END Headers Security Advanced & HSTS WP