Can not apply security tweaks

The following items won’t update: Prevent Information Disclosure
Prevent PHP execution
X-Frame-Options Security Header
X-XSS-Protection Security Header
Feature-Policy Security Header

It says

“The rules can’t apply to your host. This can because of your host doesn’t allow for overriding, or you apply for the wrong webserver”

I have contacted the host and they confirmed that they do not allow to update htaccess automatically.

  • Adam
    • Support Gorilla

    Hi Haris

    I hope you’re well today!

    I checked the site and while there is this error when trying to apply these tweaks, the related code actually already is in the .htaccess files for both “Prevent PHP Execution” and “Prevent Information Disclosure” tweaks.

    The other tweaks don’t require anything to be saved to .htaccess.

    However, I have also noticed that this seems to be a setup where site is powered by Apache but there’s also nginx webserver used, most likely as either some sort of “load balancing” or (more common case) as a reverse proxy or caching proxy.

    In such cases those tweaks might have to actually applied to nginx configuration (and it seems that only your host might have access to it). The two tweaks that need writing to the .htaccess file would have relevant code added to the nginx config file and the other ones are about HTTP headers which, even if properly set on “apache end” might be overwritten by nginx that’s “between site and end user”.

    This is similar to having CloudFlare on a way between the site and end-user but CloudFlare does apply some of those security measures out of the box and it also properly “transports” HTTP headers.

    To sum it up. in this case I’m afraid you might need to ask your host to make sure about the configuration – if there is indeed nginx “in front” of Apache and if so if they could apply those security tweaks to its configuration for you.

    Kind regards,
    Adam