Security Header Upgrade
Headers hardened for the server.
V4.7 adds stronger Apache/cPanel security headers through .htaccess. This is what fixes the “Security headers could be stronger” finding.
HSTSCSPPermissions PolicyNo SniffFrame ControlHTTPS Force
Headers added
Strict-Transport-SecurityForces browsers to prefer HTTPS after the first secure visit.
Content-Security-PolicyLimits where scripts, styles, images, forms, and frames can load from.
Permissions-PolicyDisables browser features this site does not need.
X-Content-Type-OptionsBlocks MIME sniffing.
X-Frame-OptionsRestricts framing to same origin.
Referrer-PolicyLimits how much referrer data leaks.
Important
These headers only work after the package is uploaded to Apache/cPanel and the server honors .htaccess. If your host ignores headers, the page files are correct but Apache config must be enabled.
Upload rule: make sure the hidden
.htaccess file uploads with the rest of public_html_upload/.