Replies: 0
The recommended security headers will always show false values if the server is configured to use these headers.
Adding apache_response_headers would help identify headers that Apache is configured for as the current implementation only deals with .htaccess edits.
Since .htaccess is the only checks being done, this plugin is not really that efficient and will give you false values. Given the size of the alerts section, this can be very frustrating.
Also, an update to validate response headers would be ideal too. Especially for duplicate headers as this can have negative affects and can cause unexpected issues. Strict-Transport-Security is an example of such an response header.