Not alle headers are actived

  • Resolved quadrumanous

    (@quadrumanous)


    6 years, 4 months ago

    Hi,

    We have actived verious headers, but some (like the access-control-allow-origin and access-control-allow-methods) are not added to the site responses.

    Any idee what I’m doing wrong?

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @quadrumanous,

    For the Access-Control-Allow-Origin header – I found a bug when a wildcard “*” is used. I’ve just released a new bug-fixed version 1.9.5. Please update this plugin and try again.

    For the Access-Control-Allow-Methods – to send this header with the response you must select at least one method, e.g. GET, POST, etc., otherwise this header will not be present into the response.

    Regards,

    Thread Starter quadrumanous

    (@quadrumanous)

    Hi Dimitar,

    Unfortunately no improvement with 1.9.5 on our config.

    If I make an config export I see these in the .sql:

    
<em>INSERT INTO wp_options (option_id, option_name, option_value, autoload)
VALUES (NULL, 'hh_access_control_allow_methods', '1', 'yes')
ON DUPLICATE KEY UPDATE option_value = '1', autoload = 'yes';

INSERT INTO wp_options (option_id, option_name, option_value, autoload)
VALUES (NULL, 'hh_access_control_allow_methods_value', 'a:3:{s:3:"GET";s:1:"1";s:4:"POST";s:1:"1";s:4:"HEAD";s:1:"1";}', 'yes')
ON DUPLICATE KEY UPDATE option_value = 'a:3:{s:3:"GET";s:1:"1";s:4:"POST";s:1:"1";s:4:"HEAD";s:1:"1";}', autoload = 'yes';

INSERT INTO wp_options (option_id, option_name, option_value, autoload)
VALUES (NULL, 'hh_access_control_allow_origin', '1', 'yes')
ON DUPLICATE KEY UPDATE option_value = '1', autoload = 'yes';

INSERT INTO wp_options (option_id, option_name, option_value, autoload)
VALUES (NULL, 'hh_access_control_allow_origin_url', 'a:4:{i:0;s:21:"https://www.xillion.nl";i:1;s:22:"https://www.xillion.nl";i:2;s:18:"https://xillion.nl";i:3;s:17:"https://xillion.nl";}', 'yes')
ON DUPLICATE KEY UPDATE option_value = 'a:4:{i:0;s:21:"https://www.xillion.nl";i:1;s:22:"https://www.xillion.nl";i:2;s:18:"https://xillion.nl";i:3;s:17:"https://xillion.nl";}', autoload = 'yes';</em>

    But they don’t show up when i inspect the headers. Some other parameters do, like the CSP policy do show up.

    • This reply was modified 6 years, 4 months ago by quadrumanous.
    • This reply was modified 6 years, 4 months ago by Jan Dembowski.
    Plugin Author Dimitar Ivanov

    (@zinoui)

    Ah, I forgot to mention that after plugin update, you have to save settings using the “Save Changes” button (found at Dashboard > Access control > Access-Control-Allow-Origin) just to force the plugin to update the .htaccess file.

    Thread Starter quadrumanous

    (@quadrumanous)

    Hi Dimitar,

    I’ve just tried that.. no difference.
    Might there be some syntax error which causes the .htaccess update to break or so?

    Regards,

    Jean

    Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi Jean,

    Can I see your .htaccess file?

    Also, how do you test for the Access-Control-* headers? You need to know that this set of headers are sent only with cross-origin requests. So, if the Origin header is missing in the request you can’t expect the Access-Control-* headers to be sent with the response.

    My best,

    Thread Starter quadrumanous

    (@quadrumanous)

    Hi Dimitar,

    Have our .htaccess:
    RewriteEngine On
    RewriteBase /

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase //
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . //index.php [L]
    </IfModule>

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress
    # Wordfence WAF
    <Files “.user.ini”>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    # END Wordfence WAF

    Test: curl -I https://www.xillion.nl/diensten/advies-consultancy/ -H “Origin: bing.com”

    Thread Starter quadrumanous

    (@quadrumanous)

    Hi Dimitar, I might have found some hint on to malfunctioning of the settings.

    when I hit the save changes button on the advanced settings pages a empty page with status code 500 is returned and the .htaccess file is not updated/changed.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Not alle headers are actived’ is closed to new replies.