Why does Joomla recommend setting HSTS in Global Configuration AND .htaccess?

It does not. Pick one. Joomla's Global Configuration HSTS is the cleaner approach because it integrates with URL routing and Force HTTPS. Setting HSTS in both places means two Strict-Transport-Security headers, which most browsers handle correctly but is unnecessary noise.

Will my Joomla extensions break the Content-Security-Policy?

Possibly. Extensions that inject inline scripts (popular for galleries, sliders, analytics) need 'unsafe-inline' for script-src — already in the policy above. To tighten further, use a CSP report-only mode first to identify what each extension needs, then switch to enforcing mode.

Where is the Joomla htaccess template file?

In the Joomla root as htaccess.txt. Rename it to .htaccess to activate it. Joomla ships it as .txt so it does not accidentally apply during install — you opt in by renaming.

Does Joomla 3 support the same HSTS toggle?

Joomla 3.10 added Force HTTPS but not the full HSTS configuration UI that 4+ has. On 3.x, use the .htaccess approach for HSTS too. Better still, upgrade to 5 — Joomla 3 reaches end-of-life August 2026.

How to Fix Security Headers in Joomla

Joomla 4 and 5 ship with a built-in HSTS toggle in Global Configuration but rely on the server (typically Apache via .htaccess) for the other five security headers our Security Audit checks. This guide walks through every fix: enabling Joomla's HSTS, adding the rest via .htaccess, hardening session cookies, and publishing security.txt. Tested against Joomla 5.1 on Apache 2.4. For WordPress, see the WordPress variant; for the full finding catalogue, see Security Audit Fixes.

1. Enable Joomla's built-in HSTS

Joomla 4+ has a native HSTS feature you should use before adding HSTS via .htaccess — it integrates with Joomla's URL routing.

Step 1

Open Global Configuration

Joomla admin → System → Global Configuration → Server tab.

Step 2

Toggle HSTS

Set Force HTTPS to Entire Site. Set HTTP Strict Transport Security (HSTS) to Yes. Configure: HSTS Max Age 31536000, HSTS Apply to Subdomains Yes, HSTS Preload Yes. Save.

⚠️ Don't enable HSTS preload until you're certain every subdomain is on HTTPS. The browser preload list is hard to remove from once submitted.

2. Add the other five headers via .htaccess

Joomla doesn't manage CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy or Permissions-Policy natively. Add them to the root .htaccess:

Step 1

Locate .htaccess

Joomla root contains htaccess.txt (template) and .htaccess (active file). If .htaccess is missing, rename htaccess.txt to .htaccess first.

Step 2

Add the directives

At the top of .htaccess:

<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'self'"
</IfModule>

💡 Joomla extensions often inject inline scripts. The CSP above includes 'unsafe-inline' for script-src and style-src — restrict this once you've identified all extensions that need it.

3. Harden session and cookie settings

Joomla's session cookies need the Secure and HttpOnly flags. SameSite needs configuration in Global Configuration.

Step 1

Session settings

System tab → Session Settings → Session Handler: Database. Force HTTPS: Entire Site (Server tab).

Step 2

Cookie SameSite

System tab → Cookie Settings → Cookie SameSite: Lax (recommended default). Save.

4. Publish security.txt

Step 1

Create the file

Create .well-known/security.txt in the Joomla root:

Contact: mailto:security@yourdomain.com
Expires: 2027-05-18T00:00:00.000Z
Preferred-Languages: en
Canonical: https://yourdomain.com/.well-known/security.txt

Add to .htaccess:

<Files "security.txt">
  ForceType text/plain
</Files>

5. Verify

Step 1

Curl test

curl -sI https://yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"

All six should appear. Then re-run the Security Audit.

🛡 Re-run the audit

Verify every header, TLS protocol and security.txt with a fresh scan.

Run Security Audit →