So Mozilla is offering a nifty HTTPs testing tool at https://observatory.mozilla.org/
After I tried that, had to fix a few things :). D- rating (ouch !)
HTTP Strict Transport Security
First enable the header module with command line :
a2enmod headers
Then edit the vhosts files into the /etc/apache2/sites-available by adding the header entry (right below the VirtualHost entry)
Header add Strict-Transport-Security: « max-age=31536000;includeSubdomains »
And restart Apache 2 with :
systemctl restart apache2
And then check if nothing is wrong in the startup by looking into the log file for the daemon at :
less /var/log/daemon.log
Implement HTTP Headers
Install the WordPress extension HTTP Headers from Dimitar Ivanov. In the security options, turn ON the following restrictions :
X-Frame-Options DENY
X-XSS-Protection
X-Content-Type-Options nosniff
And rescan….
That is how you end up with a A+ Rating.
(Don’t celebrate too much, my website rolled down from A to D- in…. 11 months between November 2016 to November 2017… looks like a fight to keep up and have a recheck every 6 months !).