Rules in .htaccess only if the requested URL is /wp-admin

Try something like this instead:

<If "%{THE_REQUEST} !~ m#\s/wp-admin#">
Header add Content-Security-Policy "default-src 'self';"
Header add Content-Security-Policy "script-src 'self';"
</If>

This should set the two headers only when the requested URL does not start with /wp-admin.

The check is against THE_REQUEST (as opposed to REQUEST_URI) since REQUEST_URI changes when the URL is rewritten by the WordPress front-controller. THE_REQUEST is the first line of the request headers (a string of the form GET /wp-admin/something HTTP/1.1) and does not change when the request is rewritten.

Maybe it would be nice if a loggedin user is on the website that the lines also not be executed.
(I need to do it with htaccess.)

You can’t reliably do this with .htaccess. In .htaccess you can only determine whether the authentication cookie is set, not whether it is set correctly.

Related Posts:

  1. Improve wordpress security by hiding non public resources
  2. Does this .htaccess security setting really work?
  3. File and directory permissions
  4. Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021
  5. WordPress URL/Folder ReWrite using Htaccess
  6. Which WordPress scripts need to be executable for a fresh installation?
  7. Blocking access to wp-login via htaccess not working
  8. Attach to wp-login.php and xmlrpc.php
  9. XMLRPC filtering through htaccess not working
  10. Restricting user login by IP address
  11. WordPress: Adding Security
  12. How do I test to ensure that my wp-config file is protected?
  13. WordPress not seeing .htaccess rules
  14. Disable directory browsing of uploads folder
  15. Strange behaviour of is_user_logged_in() and get_current_user_id()
  16. Selectively Disabling PHP via .htaccess in Root Directory
  17. Should I prevent access to .htaccess and wp-config.php files?
  18. Blocking wp-login in HTACCESS has also blocked password protected pages
  19. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  20. Using htaccess to prevent spam through wp-comments-post.php
  21. How can I create a private site that is inaccessible from the outside?
  22. Restrict Content for only Contributors via .htaccess
  23. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  24. Why is this line of code Wrong in every WordPress .Htaccess security article?
  25. How to redirect all HTTP requests to HTTPS
  26. Default .htaccess file for WordPress?
  27. Which one does WordPress prioritize when it comes to php.ini, wp-config and .htaccess?
  28. Security and .htaccess
  29. htaccess disable WordPress rewrite rules for folder and its contents
  30. Admin-Ajax.php, SSL, Non-SSL
  31. How to Block Access to Standard Login Flow and Comment Flow
  32. How disable SSL redirect for specific URL?
  33. Which ways can be used to log in to WordPress?
  34. Why does the header set X-Robots-Tag apply to all pages?
  35. How to change “wp-admin” to something else without search-replacing the core?
  36. Error:406 not acceptable
  37. .htaccess Rewrite URL WordPress
  38. A plugin changes my .htaccess file and I can’t access httpd.conf as that’s a shared server
  39. How can I code my plugin to safely modify .htaccess?
  40. HTAccess stops me from accessing WordPress Dashboard links
  41. Create subdomain masking for each user in WordPress
  42. Redirect from different port to subdomain – htaccess
  43. .htaccess rewrite rule puzzle
  44. Allow logged in users who doesn’t belong to whitelisted ips
  45. Best way to redirect site in subdirectory to root?
  46. Missing slash after moving site to subfolder
  47. WildCard SSL with wordpress subdomain
  48. Install a Network under a mapped domain
  49. browser caching not disabled after disabling in .htaccess
  50. Transfer to HTTPS – mixed content on main page only [closed]
  51. Htaccess redirect after changing Language URL format
  52. Adding a SSL Certificate
  53. .htaccess Security Header Rules
  54. Modify the .htaccess file
  55. mod_rewrite loop, redirecting http to https on certain section of wordpress blog
  56. .htaccess in subdir gets ignored by WordPress’ own .htaccess in /
  57. sitemap contains weird links and does not contain my pages [closed]
  58. want to rewrite an URL in wordpress
  59. how to redirect 301 my old search query string to wordpress search query string?
  60. WordPress sites in subfolders
  61. Admin Panel Slowdown After SSL Verification
  62. WordPress category with 404 error
  63. How to block access to files without modifying .htaccess or ngnix config? [closed]
  64. Allow REST API over HTTP, the rest of the site forced to HTTPS
  65. Conflict with Force SSL and Rewrite Rules
  66. I have a page using a pretty url and a mod_rewrite rule matching it. I expected it to give an error but it’s working. Why?
  67. How do I setup htaccess for 301 redirects, post Joomla to WordPress migration? [closed]
  68. Hide a subdirectory on my website hosting
  69. Can’t access WP site over WiFi network
  70. Creating a copy of a website in a subdirectory, wp-admin redirect problem
  71. How to rewrite 404 to home page using htaccess?
  72. Troll the hackers by redirecting them
  73. I am new in word pres my font awesome is not allow
  74. htaccess redirect throws an error: PHP Catchable fatal error: Object of class WP_Error could not be converted to string
  75. “Oops.” error on an html file directly uploaded to a subdirectory of my WordPress site
  76. WordPress permalinks confusion
  77. Sub domain URL slash / missing after domain and before Post & page slug
  78. Why my WordPress Site Asking for HTTP Authentication?
  79. I need to make one folder private
  80. htaccess redirects invalid request to home page not 404
  81. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  82. Force HTTPS for mapped domain pointing to wordpress domain
  83. WordPress How to rewrite URL for custom pages
  84. How can I restrict access, by IP, to the `wp-admin` folder/Dashboard?
  85. How to properly give WordPress its own directory
  86. WordPress permalinks is wrong. It wants me to change my htaccess file. But then site crashes
  87. How to move wordpress website from hosting account to localhost
  88. Question with .htaccess and wp-login.php prevention
  89. WordPress RSS feed to external XML
  90. Does htaccess password keep search engines out?
  91. htaccess old php pages to new wordpress ones
  92. different CNAME to corresponding subfolders
  93. block seacrh engines for all pages EXCEPT homepage
  94. Problem with All in one WP Migration – only works the home page
  95. My WP site and password was hacked, what to do? [closed]
  96. htaccess – Server Subdirectory With Different Name Than URL Subdirectory
  97. How can I stop WordPress from catching URL’s for static pages that I save on my server
  98. .htaccess seems to be required but I can not find it
  99. cant access website thru www only works on direct xyz.com
  100. When accessing a wordpress blog, I want to force http when accessing wordpress via xmlrpc otherwise force https