Translation:
Hello, our site is currently “protected” by Wordfence freemium, but after checking on https://securityheaders.com we obtained a grade of F!!! Does Wordfence take care of header security or do we need to use another plugin to do it? Thanks.
The headers mentioned in the result are not added by Wordfence, but when adding your own headers, including implementing a Content Security Policy, there are some things to consider. Some can be added through HTML, although there may be plugins that offer to handle these for you on WordPress.
X-Content-Type-Options and X-Frame-Options should be fine to use from our experience.
Strict-Transport-Security can be fine to implement, but understanding the risks and being certain everything on the site is already using HTTPS is key: https://www.netsparker.com/blog/web-security/http-strict-transport-security-hsts/
Content-Security-Policy can be hard to get right currently without something going wrong in WordPress or a plugin/theme. With some scripts coming from CDNs or other plugins having reasons to include scripts hosted on third-party domains, it may be difficult to impose forced blocks on these and still maintain full functionality on your site.
You can look into the details of these headers, the options available to you and the reasons behind each one at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
Thanks,
Peter.
