Security headers are missing

If you have added security headers using PHP, they will not be added on cached pages. Once a page is cached, PHP is not executed, so the headers will not be added.

Did you know? Because PHP doesn't run on a cached page, the cached version of your site does not have the same vulnerabilities that require the headers. If the headers are there on the uncached version, which you can check by testing the url with ?nowprocket appended, then your site is protected.


We are providing these suggestions as a guide -  you must implement them yourself or with the help of your webhost/server admin. Our support cannot help you with this.

  • If you're using an Apache/LiteSpeed server, add the headers in the htaccess file, after the WP Rocket block of rules, or ask your webhost to apply them at the server level.
  • If you're using IIS, modify the web.config file
  • If you're on NGINX you will need to modify its config file.
  • Use the plugin HTTP Headers with its mod_headers option. This only works for Apache and LiteSpeed, not NGINX or IIS:

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.