Menu
I have a domain hosted on a shared server with the following .htaccess headers:
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" env=HTTPS
Header set X-Frame-Options: SAMEORIGIN
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy-Report-Only: default-src: https:
The first group of headers seem to work perfectly but when I include the last line I get a 500 internal server error and the site doesn't load. I don't have access to the server logs and the host support agents aren't trained in this field at all.
Is there something I'm doing wrong here? Any help would be really appreciated!
951
asked Oct 22 '25 01:10
Just worked this out, should have had 'default-src: https:' in quotes, as in:
Header set Content-Security-Policy-Report-Only: "default-src: https:"
Hope this helps someone!
132
answered Oct 24 '25 18:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With