Obeying Headers recommendations using .htaccess


Is it possible to obey the security headers recommendations on a wordpress web site in which it is only possible to set headers via the .htaccess file?

I tried to just copy/paste the suggested Header set… but… it breaks the wordpress admin page. And most likely something else too :wink: It works beautifully with static web sites though. I tried using FileMatch to limit the headers to the SecureDrop landing page but … it does not have a distinctive filename: it is of the form /whistleblower/ therefore with an empty file name.