WebForensik

Results for https://hi-reg.de/

Scan time: 2026-05-06 18:44:55

Overall Score

Score history for this domain

86 25.05. 86 25.05. 86 25.05. 86 25.05. 86 25.05. 86 25.05. 86 25.05. 86 26.05. 86 26.05. 65 29.05.

GDPR Summary

⚠ This website needs improvement regarding data protection.

GDPR Issues Detected (1):

⚠ Missing or unsafe Referrer-Policy — URLs containing personal data may be leaked to third parties.

Note: This automated analysis does not replace legal advice. For a complete GDPR assessment, consult a data protection officer.

↓ See detailed results for each category below.

100 HTTPS / Encryption

The website uses an encrypted connection (HTTPS).

Latest encryption active (TLS 1.3 — TLSv1.3).

The security certificate is valid (expires 2026-06-27).

Strong encryption method (TLS_AES_256_GCM_SHA384, 256 bit).

100 Enforced Encryption (HSTS)

HSTS is enabled — the browser is instructed to always use the encrypted connection.

HSTS duration: 63072000 seconds (at least 1 year) — very good.

HSTS also applies to all subdomains (includeSubDomains).

HSTS preload is enabled — browsers know about the encryption before the first visit.

30 Content Security Policy (CSP)

Content Security Policy present (via HTTP-Header).

No restriction for scripts defined (script-src/default-src missing).

☛ Action needed: Add a script-src directive to your Content Security Policy to define where scripts may be loaded from. Example: script-src 'self'

▸ How to fix this — step-by-step guide

Your CSP exists but has no script-src — meaning scripts are unrestricted. Scripts are the most common XSS vector. Add script-src together with the other essential directives.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'"
</IfModule>

⚠ Replace the existing CSP line (do not add a second one). This policy is deliberately pragmatic — it allows inline styles and data: URIs for images because almost all themes (especially WordPress!) need this. If you use external scripts (CDN), append the domain to script-src: script-src 'self' https://cdn.example.com. For maximum security later, gradually tighten style-src to 'self' and verify in the browser (F12 → Console) that no inline-style violations appear.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'"
</IfModule>

⚠ Replace the existing CSP. IMPORTANT for WordPress: img-src with data: enables emoji + admin-bar SVGs, style-src 'unsafe-inline' allows the many inline styles from themes and plugins — without both, the site will break visually. Common WP script sources to add to script-src: 'self' (own), https://www.googletagmanager.com (GTM), https://www.google-analytics.com (GA) — append after 'self' with a space.

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_action('send_headers', function () {
    header("Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'");
});

⚠ Watch out for existing send_headers hooks — keep only one active. Back up functions.php before editing!

✓ How to verify it works: F12 → Network → Response Header content-security-policy contains "script-src 'self'". Console: no script blocks, no "Refused to load…" messages.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

20 Referrer Policy

Referrer-Policy: strict-origin-when-cross-origin strict-origin-when-cross-origin (via HTTP-Header).

The setting "strict-origin-when-cross-origin strict-origin-when-cross-origin" shares too much URL information with other websites.

☛ Action needed: Change the Referrer-Policy to a more privacy-friendly setting like "strict-origin-when-cross-origin" or "no-referrer". The current setting shares too much information with third parties.

▸ How to fix this — step-by-step guide

Your current Referrer-Policy reveals too much (e.g. "unsafe-url" or "no-referrer-when-downgrade"). Switch to a more privacy-friendly setting.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

⚠ Replace the existing Referrer-Policy line.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

⚠ Replace the existing Referrer-Policy entry.

✓ How to verify it works: F12 → Network → Response Header — new value visible.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

0 MIME Type Protection

No MIME type protection (X-Content-Type-Options missing). Browsers may misinterpret files.

☛ Action needed: Add the header X-Content-Type-Options: nosniff. This prevents browsers from misinterpreting files, which can lead to security vulnerabilities. Your hosting provider or web developer can set this up in minutes.

▸ How to fix this — step-by-step guide

Without the "X-Content-Type-Options: nosniff" header the browser guesses file types from content — which attackers can exploit (e.g. a HTML file disguised as .jpg is executed as HTML). The fix is one single line.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
</IfModule>

⚠ No side effects expected — considered a safe standard and best practice for years.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
</IfModule>

⚠ Safe to add alongside other Header set entries.

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_action('send_headers', function () {
    header('X-Content-Type-Options: nosniff');
});

⚠ Back up functions.php before edits.

✓ How to verify it works: F12 → Network → Response Header: "x-content-type-options: nosniff".

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

0 Clickjacking Protection

Invalid X-Frame-Options value: SAMEORIGIN SAMEORIGIN.

☛ Action needed: The X-Frame-Options value is invalid. Use DENY or SAMEORIGIN.

▸ How to fix this — step-by-step guide

Your X-Frame-Options header has an invalid value. Only "DENY" (no embedding at all) or "SAMEORIGIN" (only your domain) are allowed.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

⚠ Replace the malformed value. If you want NO embedding at all, use DENY instead of SAMEORIGIN.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: .htaccess in the WordPress root

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

⚠ Replace the malformed entry.

✓ How to verify it works: F12 → Network → Response Header: value is DENY or SAMEORIGIN.

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

100 Permissions (Camera, Microphone, etc.)

Permissions-Policy is configured — access to sensitive device APIs is controlled.

4 of 6 sensitive APIs restricted — very good.

85 Cookies

2 first-party and 0 third-party cookie(s).

2 of 2 cookie(s) without Secure flag — sent over unencrypted connections too.

☛ Action needed: Set the Secure flag for all cookies. Without it, cookies are also sent over unencrypted HTTP connections and can be intercepted. Your web developer can change this in the cookie configuration.

▸ How to fix this — step-by-step guide

Cookies without the "Secure" flag are also sent over unencrypted HTTP — and can be intercepted by anyone on the same WLAN. There’s no reason to omit Secure on HTTPS-only sites.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
</IfModule>

⚠ This header appends "; Secure" to cookies that don’t have it yet. Requires Apache 2.4+. The cleaner fix is to correct the code that sets the cookie (PHP: session.cookie_secure=1 in php.ini, or setcookie() with "secure" => true).

WordPress Special for WordPress: where to add this

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme

add_filter('secure_logged_in_cookie', '__return_true');
add_action('init', function () {
    if (!headers_sent()) {
        @ini_set('session.cookie_secure', '1');
        @ini_set('session.cookie_httponly', '1');
        @ini_set('session.cookie_samesite', 'Lax');
    }
});

⚠ Sets the Secure flag for WordPress login cookies and PHP session cookies. Plugins that set their own cookies must be configured separately (check plugin settings).

WordPress plugin: Plugins that set cookies (cache, anti-spam, A/B testing) often have toggles like "Secure cookies" or "HTTPS only" in their settings.

✓ How to verify it works: F12 → Application → Cookies → your-domain.com. The "Secure" column should show a checkmark for every cookie.

2 of 2 cookie(s) without HttpOnly flag — could be read by malicious code.

☛ Action needed: Set the HttpOnly flag for all cookies that are not needed by JavaScript. This protects against session data theft through malicious code.

▸ How to fix this — step-by-step guide

Cookies without the "HttpOnly" flag can be read by JavaScript — an XSS attacker can steal session cookies and impersonate the logged-in user. Set HttpOnly for all cookies JavaScript doesn’t actively need.

Apache server (classic hosting at most providers)

File: .htaccess in the web root

<IfModule mod_headers.c>
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
</IfModule>

⚠ Cleaner: set cookies with HttpOnly directly (PHP: setcookie(..., [..., 'httponly'=>true])). Exception: cookies that JS actively reads (e.g. some consent cookies).

WordPress Special for WordPress: where to add this

Option 2: via functions.php in the child theme (Advanced alternative)

File: functions.php of your CHILD theme (or better wp-config.php)

@ini_set('session.cookie_httponly', '1');
@ini_set('session.cookie_secure', '1');

⚠ WordPress login cookies have been HttpOnly since 2.x. If you use a plugin that sets session cookies (e.g. WooCommerce cart pre-login), check its settings.

✓ How to verify it works: F12 → Application → Cookies → "HttpOnly" column shows checkmarks everywhere (except for deliberately JS-readable cookies like the consent cookie).

First-party cookies (from the website itself)

Name	Domain	Encrypted	Server only	SameSite
_pk_id.1.50af	hi-reg.de	No	No	Lax
_pk_ses.1.50af	hi-reg.de	No	No	Lax

↓ SHOW COMPLETE SOLUTION All missing security headers bundled at the end of the report — ready to copy.

70 Local Storage (Web Storage)

1 localStorage and 0 sessionStorage item(s) found.

localStorage

Name	Value
readabler	{}

100 Third-Party Requests

No third-party requests detected — all content comes from the website's own server.

100 Tracker Detection

No known trackers detected.

100 External Resource Integrity (SRI)

No external scripts or stylesheets loaded.

65 DNS Security

No CAA records. Any certificate authority could issue a certificate for this domain.

☛ Action needed: Create CAA DNS records to specify which certificate authorities may issue certificates for your domain. This prevents unauthorized certificates from being issued.

▸ How to fix this — step-by-step guide

CAA records (Certification Authority Authorization) define in DNS which Certificate Authorities are allowed to issue certificates for your domain. Without a CAA record an attacker could request a fraudulent certificate for your domain at any CA. CAA is pure DNS configuration — set in your registrar/DNS-panel, NOT in WordPress.

☞ Concrete CAA values for the ten most common DACH-region hosts

Find your host in the table, copy the values to your DNS panel. For multi-CA hosts: one separate CAA record per CA (all with tag issue, flag 0, name @). Additionally recommended: an iodef record with a contact email for abuse reports.

#	Host	CA(s) used	CAA value(s) — tag `issue`
1	Hetzner Webhosting (basic certificate, free in package)	DigiCert (programme „Encryption Everywhere")	`digicert.com`
1	Hetzner Webhosting (Let’s Encrypt, free)	Let’s Encrypt (ISRG)	`letsencrypt.org`
2	All-Inkl	Let’s Encrypt + Sectigo (Pro)	`letsencrypt.org` `sectigo.com`
3	IONOS (1&1)	DigiCert (GeoTrust) + Let’s Encrypt	`digicert.com` `letsencrypt.org`
4	STRATO	Sectigo + Let’s Encrypt	`sectigo.com` `letsencrypt.org`
5	Cloudflare (Universal SSL)	Google Trust Services + DigiCert + Let’s Encrypt	`pki.goog` `digicert.com` `letsencrypt.org`
6	AWS (ACM / CloudFront)	Amazon Trust Services	`amazon.com` `amazontrust.com` `awstrust.com` `amazonaws.com`
7	Mittwald	Let’s Encrypt + Sectigo	`letsencrypt.org` `sectigo.com`
8	Webgo	Let’s Encrypt + Sectigo	`letsencrypt.org` `sectigo.com`
9	raidboxes (Managed WordPress)	Let’s Encrypt	`letsencrypt.org`
10	Host Europe / DomainFactory	Sectigo + Let’s Encrypt	`sectigo.com` `letsencrypt.org`

Name   Type   Flag   Tag      Value
@      CAA    0      issue    "digicert.com"
@      CAA    0      issue    "letsencrypt.org"
@      CAA    0      iodef    "mailto:security@your-domain.com"

The iodef line (last line) is optional but recommended: CAs report abuse attempts to that address. For subdomains (e.g. shop.your-domain.com) create separate records with the subdomain name instead of @ — modern CAs check parent CAA automatically though.

If your host is not on the list: open your current certificate in the browser (padlock → certificate → issuer). The CA name is shown there (e.g. "Sectigo RSA Domain Validation Secure Server CA" → value sectigo.com). Add that as a CAA record, done.

WordPress Special for WordPress: where to add this

WordPress plugin: CAA records are NOT created in WordPress but in your domain registrar / DNS provider panel (e.g. Hetzner-Robot, IONOS Domains, Cloudflare Dashboard, INWX, etc.). Common label: "CAA record" or under "TXT records" with type selector "CAA". One separate record per CA.

✓ How to verify it works: On https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com → "DNS CAA" section → all your CAs should be listed. Or via dig: dig CAA your-domain.com.

3 nameservers present — good redundancy.

No IPv6 support (no AAAA record).

☛ Action needed: Enable IPv6 support (AAAA records) for your domain. More and more users are using IPv6.

▸ How to fix this — step-by-step guide

Your domain has no IPv6 address (AAAA record). Over 40% of users (especially mobile) reach the internet via IPv6 — they must take the slower IPv4 gateway detour.

WordPress Special for WordPress: where to add this

WordPress plugin: Pure DNS + server matter. Step 1: check if your host has an IPv6 address for you (hosting panel or support ticket). Step 2: in the DNS panel create an AAAA record pointing to that IPv6. Step 3: test.

✓ How to verify it works: dig AAAA your-domain.com — or online https://ipv6-test.com/validate.php?url=your-domain.com.

SPF record present: v=spf1 redirect=hi-reg.de.spf.hornetdmarc.com — protects against email spoofing.

DMARC record present: v=DMARC1; p=quarantine; pct=100; fo=0:s:d:1; rua=mailto:a.qwm448aq@reports.hornetdmarc.com — email authentication active.

0 Security Contact (security.txt)

No security.txt file found (RFC 9116). Security researchers don't know how to report vulnerabilities.

☛ Action needed: Create a security.txt file at /.well-known/security.txt. This allows security researchers to responsibly report vulnerabilities. Required fields: Contact (email or URL) and Expires (expiration date).

▸ How to fix this — step-by-step guide

A security.txt (RFC 9116) tells security researchers how to responsibly report vulnerabilities to you. Without it, reports may go to spam or never be sent. A plain text file at the correct path is enough.

Apache server (classic hosting at most providers)

File: /.well-known/security.txt (create the folder if it doesn’t exist)

Contact: mailto:security@your-domain.com
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en, de
Canonical: https://your-domain.com/.well-known/security.txt

⚠ Replace "security@your-domain.com" with your actual security contact (or a generic info@). "Expires" must be a future date and should be renewed regularly. The file is plain .txt, not PHP.

WordPress Special for WordPress: where to add this

Option 1: via .htaccess (recommended — no theme editing)

File: security.txt file in /.well-known/ under your WordPress root

Contact: mailto:security@your-domain.com
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en, de
Canonical: https://your-domain.com/.well-known/security.txt

⚠ Via FTP/SFTP create a folder ".well-known" in the WordPress root (the leading dot matters — some FTP tools need "show hidden files" enabled), inside save the file security.txt with the content above. If WordPress redirects the URL: add to .htaccess: RewriteRule ^\.well-known/ - [L]

WordPress plugin: Plugin "security.txt" (search the plugin directory) lets you configure this in the WordPress backend without FTP.

✓ How to verify it works: Open https://your-domain.com/.well-known/security.txt in a browser — content must be visible (no 404).

100 External Reporting Endpoints

No external reporting endpoints detected.

70 Cookie Consent

Cookie consent system detected: Borlabs Cookie, borlabs.

Consent system detected, but banner does not appear to be visible.

☛ Action needed: The consent system does not appear to be visible. Ensure the cookie banner is displayed on the first visit and is not hidden by CSS or JavaScript.

▸ How to fix this — step-by-step guide

Your consent system is wired up but the banner doesn’t appear visibly — perhaps hidden by another plugin or custom CSS. Risk: without a visible banner, no consent is given.

WordPress Special for WordPress: where to add this

WordPress plugin: Approach: 1) clear browser cache + cookies, use incognito. 2) In the consent plugin: check display conditions (e.g. "only EU visitors" — and you’re testing from a non-EU server). 3) F12 → Console for red errors from consent scripts. 4) Inspector → search DOM for "cookie", "consent" — element present but display:none? z-index too low? 5) Uninstall conflicting cookie-notice plugins.

✓ How to verify it works: Incognito tab, load page, wait 5 seconds — banner visible centered/bottom, doesn’t fully block main content, is clickable.

80 Privacy Policy & Legal Notice

Legal notice linked: "IMPRESSUM" (/impressum/).

☛ Action needed: The privacy policy link leads to an error. Check the URL and ensure the page is accessible.

▸ How to fix this — step-by-step guide

The privacy policy link returns an error (HTTP HTTP/1.1 301 Moved Permanently). Effectively the same as no privacy policy — same legal status as missing.

WordPress Special for WordPress: where to add this

WordPress plugin: Step 1: check the footer menu (Appearance → Menus → Footer menu → which URL does the "Privacy" item link to?). Step 2: does the target page still exist? Pages → All Pages. Step 3: if the page was renamed: update the menu link. Step 4: if deleted: create a new one. Step 5: on permalink issues, visit Settings → Permalinks → Save (no changes — rewrites .htaccess).

✓ How to verify it works: Privacy link in footer → opens the page with status 200, content visible.

⚙ Your ready-to-use security .htaccess

All missing security headers combined into one block. Append this block to the end of your .htaccess — done. 6 headers will be set.

⚠ Why this recommendation does NOT give a 100% score — and why that's how it is with WordPress

The Content-Security-Policy above deliberately includes 'unsafe-inline' for both style-src and script-src. This does NOT provide full XSS protection — it's a pragmatic trade-off, not a bug.

Why? A typical WordPress setup (theme + 5-15 plugins) emits 10-50 different inline <script> blocks into the HTML: jQuery init, slider init, cookie banner, tracking, GTM, web vitals, lazy-load, speculation rules and so on. A strict script-src 'self' blocks them all — the site becomes visually and functionally broken (blank slider, broken cookie banner, dead plugins).

Consequence for scoring: Sites running WordPress with plugins can score at most ~75-85 points in the CSP category in this app — the full 100% rating is only achievable when inline code is signed via nonce or hash (technically demanding, breaks on every theme/plugin update).

Paths to full XSS protection (in increasing complexity):

Plugin "WP Content Security Policy & Headers" — automatically adds nonces to inline scripts (medium effort, cleanest WP solution).
Hash-based CSP — whitelist every inline script via SHA-256 in the CSP (fragile, breaks on updates).
Externalize inline scripts — rebuild theme/plugins so no inline JS is emitted (huge effort, often impossible).

Anyone who doesn't take one of these paths lives with 'unsafe-inline' — like about 95% of all production WordPress sites on the web. The other CSP directives still protect: default-src 'self' blocks external resources, object-src 'none' bans Flash/Java, frame-ancestors 'self' prevents clickjacking, base-uri 'self' prevents base-tag hijacking. Not maximum protection, but realistic protection for WP reality.

⚠ Important on Hetzner-Konsoleh webhosting (managed / shared hosting)

On Hetzner-Konsoleh webhosting (and comparable shared hosts like All-Inkl, IONOS, Strato, 1blu, …), Apache throws a 500 Internal Server Error as soon as Header always edit Set-Cookie … expr=… appears in .htaccess. The Apache error log says:

Can't parse envclause/expression: syntax error, unexpected T_OP_STR_EQ, expecting $end

This is not a WebForensik bug and not a typo — the shared host has blocked the mod_headers expr= subset via AllowOverride limits (for security, because Header edit could also manipulate cookies of other tenants).

☛ For Hetzner-Konsoleh users: use the variant below marked with the red "Hetzner / Shared" badge. It consists of two files (.htaccess + wp-config.php) instead of one, but avoids the 500 error reliably. Cookie flags go into wp-config.php instead of .htaccess.

Apache Standard Apache (any host, without WordPress)

Append this block to the end of your .htaccess in the web root — done.

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"

    # Fehlende Cookie-Flags konditional ergänzen (nur wenn nicht schon gesetzt)
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
</IfModule>

Hetzner / Shared Hetzner-Konsoleh / Managed Hosting (two files)

This variant avoids the 500 Internal Server Error on Hetzner-Konsoleh and similar shared hosts (All-Inkl, IONOS, Strato, 1blu …): the .htaccess only contains the header directives (no "Header edit"), cookie flags move into wp-config.php. Two files to edit instead of one, but guaranteed to run.

1. File: .htaccess in the WordPress root

# BEGIN WebForensik Security
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
# END WebForensik Security

2. File: wp-config.php in the WordPress root

Insert ABOVE the line "/* That's all, stop editing! */". Back up wp-config.php first!

// === WebForensik: Cookie-Hardening (Hetzner-Konsoleh-tauglich) ===
// Bitte OBERHALB der Zeile "/* That's all, stop editing! */" einfügen.
// Wirkt auf PHP-Session- und WordPress-Login-Cookies.
// Plugin-eigene Cookies (z.B. WooCommerce, Cookie-Banner) müssen in den
// Plugin-Einstellungen separat auf "Secure" gestellt werden.
@ini_set('session.cookie_secure',   '1');
@ini_set('session.cookie_httponly', '1');
if (!defined('FORCE_SSL_ADMIN')) define('FORCE_SSL_ADMIN', true);

WordPress WordPress: .htaccess in WP root

Insert this block ABOVE the "# BEGIN WordPress" line, otherwise WP overwrites it on permalink changes.

# BEGIN WebForensik Security
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"

    # Fehlende Cookie-Flags konditional ergänzen
    Header always edit Set-Cookie "^(.*)$" "$1; Secure" "expr=!(resp('Set-Cookie') -strmatch '*Secure*')"
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly" "expr=!(resp('Set-Cookie') -strmatch '*HttpOnly*')"
</IfModule>
# END WebForensik Security

WordPress Alternative for WordPress: functions.php in child theme

If your host disallows .htaccess changes: append this PHP snippet to the end of your CHILD theme's functions.php. Back up first — NEVER edit the parent theme, it gets overwritten on updates.

add_action('send_headers', function () {
    header("Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self' https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; upgrade-insecure-requests");
    header("Referrer-Policy: strict-origin-when-cross-origin");
    header("X-Content-Type-Options: nosniff");
    header("X-Frame-Options: SAMEORIGIN");
});

// Cookie-Flags für PHP-Session-Cookies — wirkt nur auf $_SESSION,
// NICHT auf von Plugins/Themes per setcookie() gesetzte Cookies.
// Für umfassende Cookie-Absicherung die .htaccess-Variante oben verwenden.
add_action('init', function () {
    if (headers_sent()) return;
    @ini_set('session.cookie_secure', '1');
    @ini_set('session.cookie_httponly', '1');
}, 1);

Dry-run — we re-load your site with the proposed headers and show which resources would be blocked. Takes about 30 seconds.

HTTP Response Headers

Header	Value
access-control-allow-headers	Content-Type, Authorization Content-Type, Authorization
access-control-allow-methods	GET,POST GET,POST
content-security-policy	upgrade-insecure-requests; upgrade-insecure-requests;
content-type	text/html; charset=UTF-8
cross-origin-embedder-policy	unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-embedder-policy-report-only	unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-opener-policy	unsafe-none unsafe-none
cross-origin-opener-policy-report-only	unsafe-none; report-to='default' unsafe-none; report-to='default'
cross-origin-resource-policy	cross-origin cross-origin
date	Wed, 06 May 2026 16:44:22 GMT
link	<https://hi-reg.de/wp-json/>; rel="https://api.w.org/", <https://hi-reg.de/wp-json/wp/v2/pages/14>; rel="alternate"; title="JSON"; type="application/json", <https://hi-reg.de/>; rel=shortlink
permissions-policy	accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=()
referrer-policy	strict-origin-when-cross-origin strict-origin-when-cross-origin
server	Apache
strict-transport-security	max-age=63072000; includeSubDomains; preload max-age=63072000; includeSubDomains; preload
x-cache	bypass
x-content-security-policy	default-src 'self'; img-src ; media-src data:; default-src 'self'; img-src ; media-src data:;
x-frame-options	SAMEORIGIN SAMEORIGIN
x-permitted-cross-domain-policies	none none
x-tec-api-origin	https://hi-reg.de
x-tec-api-root	https://hi-reg.de/wp-json/tribe/events/v1/
x-tec-api-version	v1

New Scan · Compare

Embed your score on your website

Show your WebForensik score publicly. The badge is a lightweight SVG, loads fast, and respects your visitors' privacy (no tracking).

HTML code to embed (this specific scan)

<a href="https://webforensik.de/results.php?id=77" target="_blank" rel="noopener">
  <img src="https://webforensik.de/badge.php?id=77" alt="WebForensik Score" width="174" height="28">
</a>

Or dynamically — always shows the latest scan of this domain

<a href="https://webforensik.de/?url=https://hi-reg.de" target="_blank" rel="noopener">
  <img src="https://webforensik.de/badge.php?domain=hi-reg.de" alt="WebForensik Score" width="174" height="28">
</a>