There is a security headers code in the Elements manual - .htaccess file | RapidWeaver Elements Docs (scroll down).
Is anyone using CSP? ”The main goal is to prevent attacks like cross-site scripting (XSS)”.
There is also a link to test your site. My Elements site got a F.
I am using CSP in the htaccess with an A rating:
@differentdan Have you had a chance to look at forms and the need to disable the referrer policy?
@PLM Elements itself only has a very limited influence on this. How the htaccess is setup and how your hosting service allows changes and/or has security setup themselves is the defining point in this.
I put the code in my .htaccess file and got an A. My server is using PHP 8.4, Apache 2.4
How to fix the last red Content-Security-Policy ? @tpbradley
@Fuellemann we got different issues … my Referrer-Policy is okey. A mix of your code and the Elements manual code might fix the problem?
I’ve got a lot going on, remind me where we talked about that again?
Sorry, check my mail from December and it is definitely not any prio, just checking:
On Mon, Dec 29, 2025 at 2:27 PM GMT, Jan Fuellemann hallo@einfach-gute-seiten.de wrote:
In my htaccess I had disabled:
Referrer-Policy
Header set Referrer-Policy “no-referrer”
Oh strange, I will have to test that on my server as that’s a pretty common security setting so it should be able to be used without affecting the form. I’ll test it out and if I can reproduce then hopefully we can get that fixed. Thanks for letting me know!
Thanks, will test it out on our new servers and see if I can replicate. Give me some time. 
