rmpel · September 18, 2025 09:01
diff --git a/.htaccess b/.htaccess
 # BEGIN WP Security
 <IfModule mod_headers.c>
    #set header for all
    Header set Content-Security-Policy "default-src 'self' *.googlesyndication.com vimeo.com *.vimeo.com *.vimeocdn.com *.amazonaws.com *.google-analytics.com *.yoast.com yoast.com *.diffuse.tools; connect-src 'self' *.googlesyndication.com google.com *.google.com vimeo.com *.vimeo.com *.linkedin.com *.vimeocdn.com *.amazonaws.com *.google-analytics.com *.yoast.com yoast.com *.diffuse.tools; frame-src 'self' vimeo.com *.vimeo.com *.vimeocdn.com youtube.com *.youtube.com *.googletagmanager.com *.youtube-nocookie.com *.google.com *.doubleclick.net; script-src 'unsafe-inline' 'unsafe-eval' 'self' *.yoast.com yoast.com *.gstatic.com google.com *.google.com googletagmanager.com *.googletagmanager.com *.googleapis.com google-analytics.com *.google-analytics.com *.googlesyndication.com code.diffuse.nl adservice.google.nl adservice.google.com *.googleadservices.com browser-update.org *.facebook.net snap.licdn.com *.doubleclick.net; style-src 'unsafe-inline' 'self' *.googleapis.com; font-src data: 'self' fonts.gstatic.com wordpress.com; media-src 'self'; img-src data: 'self' *.facebook.com *.google-analytics.com *.googletagmanager.com *.w.org *.wordpress.com *.gravatar.com ytimg.com *.ytimg.com *.linkedin.com *.google.com *.google.nl"
    Header set X-Content-Type-Options nosniff
    #unset when on wp-admin or logged in to allow WP Admin to function properly
    Header unset Content-Security-Policy "expr=%{REQUEST_URI} =~ m#^(/wp)?/wp-admin#"
    Header unset Content-Security-Policy "expr=%{HTTP_COOKIE} =~ /wordpress_logged_in_/"
    Header unset X-Content-Type-Options "expr=%{HTTP_COOKIE} =~ /wordpress_logged_in_/"
    #Secure cookies
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    #other
    Header set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options SAMEORIGIN
 </IfModule>
 # END WP Security
	# BEGIN WP Security
	<IfModule mod_headers.c>
	#set header for all
	Header set Content-Security-Policy "default-src 'self' .googlesyndication.com vimeo.com .vimeo.com .vimeocdn.com .amazonaws.com .google-analytics.com .yoast.com yoast.com .diffuse.tools; connect-src 'self' .googlesyndication.com google.com .google.com vimeo.com .vimeo.com .linkedin.com .vimeocdn.com .amazonaws.com .google-analytics.com .yoast.com yoast.com .diffuse.tools; frame-src 'self' vimeo.com .vimeo.com .vimeocdn.com youtube.com .youtube.com .googletagmanager.com .youtube-nocookie.com .google.com .doubleclick.net; script-src 'unsafe-inline' 'unsafe-eval' 'self' .yoast.com yoast.com .gstatic.com google.com .google.com googletagmanager.com .googletagmanager.com .googleapis.com google-analytics.com .google-analytics.com .googlesyndication.com code.diffuse.nl adservice.google.nl adservice.google.com .googleadservices.com browser-update.org .facebook.net snap.licdn.com .doubleclick.net; style-src 'unsafe-inline' 'self' .googleapis.com; font-src data: 'self' fonts.gstatic.com wordpress.com; media-src 'self'; img-src data: 'self' .facebook.com .google-analytics.com .googletagmanager.com .w.org .wordpress.com .gravatar.com ytimg.com .ytimg.com .linkedin.com .google.com .google.nl"
	Header set X-Content-Type-Options nosniff
	#unset when on wp-admin or logged in to allow WP Admin to function properly
	Header unset Content-Security-Policy "expr=%{REQUEST_URI} =~ m#^(/wp)?/wp-admin#"
	Header unset Content-Security-Policy "expr=%{HTTP_COOKIE} =~ /wordpress_logged_in_/"
	Header unset X-Content-Type-Options "expr=%{HTTP_COOKIE} =~ /wordpress_logged_in_/"
	#Secure cookies
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
	#other
	Header set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options SAMEORIGIN
	</IfModule>
	# END WP Security