I recently did a site health test and found none of my security headers are being sent. Here is the .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://enigmapr0ject.live/$1 [R,L]
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
What am I doing wrong?
Ubuntu 20.04 VPS with latest version of LAMP via APT.
Edit: Changed the code, and the redirect from HTTP to HTTPS works perfectly, but the headers are not present on any requests.
Turns out the AllowOverride was set to None in /etc/apache2/apache2.conf...