Duplicate header info?

  • Resolved digiscrap

    (@digiscrap)


    1 year, 11 months ago

    I see the lines below two times in the securityheaders.com output.

    Looks like it is adding twice? When I disable your plugin all is gone. So the plugin adds it 2 times with some different values (4th / last line). Maybe it is normal behavior, I don’t know?

    access-control-allow-origin null
    access-control-allow-methods GET,PUT,POST,DELETE
    access-control-allow-headers Content-Type, Authorization
    x-content-security-policy default-src ‘self’; img-src *; media-src * data:;

    access-control-allow-origin null
    access-control-allow-methods GET,PUT,POST,DELETE
    access-control-allow-headers Content-Type, Authorization
    x-content-security-policy img-src *; media-src * data:;

    Thanks again for your help!
    Regards, Vincent

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @digiscrap , thanks for your topic, I am Andrea and I will help you with your request. When you do the verification tests it might show you the notification “duplicate headers“, this doesn’t cause any issues to the website or loading, to confirm me it is normal to see some duplicate headers if hosting by standard adds some headers but they will be taken as important those of the plugin.

    I am available for further questions or help

    Thread Starter digiscrap

    (@digiscrap)

    Hello and thank you. It does not show the notification. It shows duplicate RAW header lines. Please see the report: https://securityheaders.com/?q=digiscrap.plus&followRedirects=on

    You see that the lines below are in the report, but the lines are the same:

    access-control-allow-origin null
    access-control-allow-methods GET,PUT,POST,DELETE
    access-control-allow-headers Content-Type, Authorization
    x-content-security-policy default-src ‘self’; img-src *; media-src * data:;

    access-control-allow-origin null
    access-control-allow-methods GET,PUT,POST,DELETE
    access-control-allow-headers Content-Type, Authorization
    x-content-security-policy img-src *; media-src * data:;

    I can’t upload images here, so please create a report and look at the RAW headers section

    thanks Vincent

    • This reply was modified 1 year, 11 months ago by digiscrap.
    Plugin Contributor Rimas

    (@erku)

    This header duplication is likely the result of the plugin adding Header set directives to .htaccess, but also adding these headers at response time.

    I don’t think it hurts, assuming both sets of headers are in sync (and they should be now), but I don’t think it adds much value either. I guess the only downside of not having these directives in .htaccess would be that they wouldn’t be sent with error responses and non-PHP responses such as file downloads. Which, at least to me, is acceptable.

    On the other hand, .htaccess file is Apache-specific, so, it has no effect whatsoever on Nginx and other web servers. Plus, even on Apache it may be ignored or even cause server configuration errors when it’s not ignored, but disallowed instructions are used.

    @unicorn03, would you consider dropping the .htaccess support altogether? It would allow you remove a great deal of code from the plugin. Alternatively, it could be placed behind a settings checkbox or drop-down.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Duplicate header info?’ is closed to new replies.