Hi bro, ??
Yes, Enhanced doesn’t touch PHP, so the header is not added. But any Nginx header is not added too. I found the cause of the bug. It is related to W3TC Nginx configuration.
- First, please read below post:
https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx
- And below config code is created by W3TC Disk:Enhanced. Check please:
location ~ /wp-content/cache/page_enhanced.*html$ {
add_header X-Powered-By "W3 Total Cache/0.9.7.1";
}
Because of the enhanced config, “X-Powered-By: W3 Total Cache/0.9.7.1” header is visible only. Other security headers are added to browser cache part of the config by W3TC. Such as X-Frame-Options, Referrer Policy are removed from http headers by Nginx. Also charset utf8 is removed from content-type header too.
- And this is another example which is created by W3TC (For js and css files):
location ~ /wp-content/cache/minify/.*\.css$ {
types {}
default_type text/css;
expires modified 31536000s;
add_header X-Powered-By "W3 Total Cache/0.9.7.1";
add_header Vary "Accept-Encoding";
add_header Pragma "public";
add_header Cache-Control "public";
}
Again all of other http security headers are removed by Nginx. (Like X-Frame)
Main idea is that, NGINX always fulfills requests using the most specific match. I can’t fix it because I shouldn’t edit config lines created by W3TC. But You may fix it at next update. Please.
My English is not good sorry about that. However, I hope you understand it bro. Feel free to ask anything if you don’t understand my poor language. Or deploy a simple nginx server and then turn on security headers with Disk:enhanced. You will see everything. ??
Nginx is next generation of webmaster world. Even personal bloggers will migrate their websites to Nginx soon. And hope we’ll make W3TC better. ??
I marked it as resolved but let me know your feedback please. Thanks,
Best regards.
