HSTS Header Present But Not Working

Viewing 15 replies - 1 through 15 (of 18 total)

  • I see the same issue; HSTS appears to be in the .htaccess file, but the HSTS test is failing on both:
    https://securityheaders.com/
    https://www.serpworx.com/check-security-headers/

    Is this a bug?
    The site is:
    https://www.mbsdpipes.com/

    Plugin Contributor Rimas

    (@erku)

    It’s the same in my case, and I would guess that, just like me, you aren’t using Apache, so the .htaccess file simply doesn’t have any effect.

    Since all other headers are also sent by PHP I would classify this as a bug. Furthermore, looking at the code, I see that the function which instructs WordPress to add this HTTP header to the output is only called when the settings for this particular header are updated, which actually has no effect since the update action produces a redirect response with no custom headers whatsoever, so it’s definitely a bug.

    I also noticed that this plugin adds two <IfModule mod_headers.c> blocks in the file instead of just one: the first one only contains an instruction to add the HSTS header, and the other contains instructions for all other headers. Furthermore, the HSTS block gains an extra blank line each time these settings are saved. It would be nicer if only one such block was added and the unnecessary blank lines were not there.

    • This reply was modified 1 year, 6 months ago by Rimas.

    I am using Apache and I believe I’ve discovered what causes the HSTS to fail even though the code is present in HSTS.

    in my case it is because I have a primary “redirect” of my website from https://mysite.com/ to https://www.mysite.com/

    Technically HSTS doesn’t like/allow a redirect from one url to another.

    For me this redirect issue occurred because I accidentally didn’t include the non-www url in my SSL Certificate when I made it and I did this as a temporary workaround until I figured out the issue.

    Check and see if you have the same issue. WordPress Health Check really should tell us this is the issue as the error message is returned on site checks like securityheaders.com

    Your cause of HSTS fail may be different but this was mine.

    Plugin Contributor Rimas

    (@erku)

    @kennetheyoung, I would guess that the response to your https://mysite.com/ request didn’t have the HSTS header (or any other headers added by this plugin), but then the one to the https://www.mysite.com/ request did? I think this would be perfectly normal, because the original redirect might be performed outside WordPress, or, even if not (this depends on the setup), WordPress might not be adding any custom headers (including these) due to the redirect nature of the response.

    • This reply was modified 1 year, 6 months ago by Rimas.
    • This reply was modified 1 year, 6 months ago by Rimas.
    Thread Starter thirstyjon

    (@thirstyjon)

    Important note: Somehow I spelled my own name wrong in the link that I need help with haha.

    This almost has to have been some sort of auto correct thing.

    But the link is actually https://jondavis.me – NO “h.”

    Thread Starter thirstyjon

    (@thirstyjon)

    @erku

    When you say the non-Apache server thing is a “bug” do you mean that it is a bug in this plugin?

    Or a bug in how HSTS works?

    Or something else?

    My site is on an OpenLiteSpeed server setup (Vultr).

    Thread Starter thirstyjon

    (@thirstyjon)

    @kennetheyoung

    I am not using an Apache server but an OpenLiteSpeed server.

    I also have the SSL setup for both the www and not-www version of the domain.

    The www version DOES forward automatically to the non-www version.

    Thread Starter thirstyjon

    (@thirstyjon)

    @erku

    Does “Plugin Contributor” mean you are a contributor to this specific plugin? Or to plugins in general?

    In other words, do I need to wait for @unicorn03 (Andrea the plugin author) to show up and help me?

    It appears that they aren’t around that often.

    I am wondering if I need to move on and look for a different solution.

    (Important side note: I am not complaining. I don’t feel entitled to any help on this free plugin at all. Just trying to decide if this solution is going to solve my problem or if I need to start looking elsewhere)

    Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @thirstyjon , thank you for downloading the Headers Security Advanced & HSTS WP plugin.

    For some reason I am not getting topic notifications via email and the only way at the moment is to check topics via browser.

    Don’t worry I am here to help you with your report and to speed up the timeline and offer you the best assistance I ask if you can write me at support@tentacleplugins[dot]com

    Thread Starter thirstyjon

    (@thirstyjon)

    @unicorn03

    Thanks Andrea.

    I sent you an email at that address.

    Plugin Contributor Rimas

    (@erku)

    @thirstyjon, yes, I meant it’s a bug in the plugin. I’m now able to contribute to this plugin since yesterday evening (thanks to @unicorn03) and I plan to look into this issue since, as a user of Nginx, I’m also affected by it.

    Thread Starter thirstyjon

    (@thirstyjon)

    @erku

    Wonderful!

    This plugin is a great idea and it would be nice to have it fully functional. ??

    Plugin Contributor Rimas

    (@erku)

    Status report: I made a huge pull request to @unicorn03. At least on my server, the header now works as expected and I haven’t noticed any regressions caused by my changes.

    Plugin Contributor Rimas

    (@erku)

    Aaaand, it’s now live!

    Thread Starter thirstyjon

    (@thirstyjon)

    Deleted

    • This reply was modified 1 year, 6 months ago by thirstyjon.
    • This reply was modified 1 year, 6 months ago by thirstyjon.
Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘HSTS Header Present But Not Working’ is closed to new replies.