The plugin triggers the following notice since WP 6.7:

Notice: Function _load_textdomain_just_in_time was called?incorrectly. Translation loading for the?gd-security-headers?domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the?init?action or later.?

(This message was added in version 6.7.0.) in?wp-includes/functions.php?on line?6114

See this SO post for more info:

https://stackoverflow.com/questions/79198701/notice-function-load-textdomain-just-in-time-was-called-incorrectly

This has been mentioned on this forum before, but the post is still unresolved and now closed:

Could you please allow adding the “preload” flag to the HSTS setting?

I have checked “Upgrade insecure requests” in the settings, but it is not added the the .htaccess file(and also doesn’t appear in the headers section). Is this a general bug?

Hello

I am currently testing your plugin for a website that I work on.

I would like to know is it currently possible to add a “nonce” security token to all the needed content element tags? A “nonce” security token which is unique and is generated anew each time a page is loaded.

Currently it’s possible in your plugin to add the hashes of all the content elements to the CSP, but this needs to be done manually, right? Does your plugin have any means to recognize these hashes automatically and add them to the CSP rule-set?

Sincerely,
Gevorg

Hi,

when testing i saw that the Plugin establishes a connection to use.fontawesome.com. This is in two ways tricky. First: users in the EU need to get a consent for their users. Second: some don’t want to establish a connection, such as me. I use a local version of Font Awesome. Please add an option where Font Awesome can be loaded locally or f.ex. tick an option box where it says, that the website already uses FA. ??

Hi, please see this linked page for info:

WordPress GD Security Headers plugin <= 1.6.1 – Cross Site Scripting (XSS) vulnerability – Patchstack

What should we do? Thank you.

It would be nice, if there was a function that would automatically clean up the log database after a desired period of time. There may be a large number of entries and the database will be relatively large.

Is there any way to turn off or modify the frame-src header? I can’t seem to find anything in the settings. The only way to get iframes to appear is to disable the plugin.

Hello ! I found out today that I had several console log errors.

Upon inspect some of them were related to the CSP and Google Translate.

For the script:

• https://www.gstatic.com
• *.googleapis.com

I thought that because I had ticked the “Google Translate” check box that all needed settings would be configured?

Just checking. Thanks.

After adding quite a bit of domains to the Automatic generate rules for CDN, My site gets a 503 error. Usually if I remove any domain from the list, the site comes back up. It is like there is a limit on how many domains that can be added. I was wondering if anyone else has had this issue and what I can do to fix this?

When I we enable Google Services:

Google Youtube
Google Tag Manager

It seems to create:

child-src ‘self’ https://www.youtube.com https://www.googletagmanager.com;

This despite disabling the CSP Level 2 child directive.

This kicks up a warning for us:

The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively.

Should/could these be updated so the correct directives are used when enabling these Google Services?

Hi is it possible to add the “Preload” option to the Strict Transport Security? Unless there is a specific reason that it shouldn’t be used or made available???

In WP multisite as network admin, I was unable to export the plugin settings from /wp-admin/network/admin.php?page=gd-security-headers-tools&panel=export with this showing in the logs:

GET /wp-admin/network/admin.php?page=gd-security-headers-tools&gdsih_handler=getback&run=export&_ajax_nonce=afcd44fb9f HTTP/1.1" 500

The problem is in d4plib\d4p.wp.php ~line 139: The access check fails even though I am network admin. I suggest this function needs to check for is_super_admin():

if (!function_exists('d4p_is_current_user_admin')) {
    function d4p_is_current_user_admin() {
        return d4p_is_current_user_roles('administrator');
    }
}

E.g.

if (!function_exists('d4p_is_current_user_admin')) {
    function d4p_is_current_user_admin() {
        return d4p_is_current_user_roles('administrator') || is_super_admin();
    }
}

Steps:
In the Feature-Policy / Permissions-Policy settings, select “Both policies” and Full screen “Allowed for self and Custom URL’s” then adding https://www.youtube.com. Select do not include this policy for all other features. Plugin version 1.6.1.

Browser console reports:
Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser.

Postman reports:
Permissions-Policy: fullscreen=(‘https://www.youtube.com&#8217;)

Following your advice to look for errors in the browser console I noticed I have this error on my site:

“Error with Permissions-Policy header: Origin trial controlled feature not enabled: ‘interest-cohort”

Can I solve this in your plugin? and if not, what should I do otherwise?
I’ll appreciate any help with that

I have two blogs where I configured recommended security header rules using this plugin. The plugin has worked on report-only for a while and now I want to switch to live mode (to actually protect my site).

How can I know that everything is working properly?
Where and what kinds of errors should I look for to figure out if I can safely switch to live mode?

Thanks,

Since last week, I have a problem with the interaction between your plugin and Elementor Pro.
I can’t access the theme builder directly, via the Templates menu. WordPress displays a blank page with the error message: “parsererror”.
The URL is the following:

https://domain-name/wp-admin/admin.php?page=elementor-app&ver=3.5.5#/site-editor

If I deactivate your plugin everything is fine.
If your plugin is activated and I use this URL :

https://domain-name/wp-admin/admin.php?page=elementor-app&ver=3.5.5#

it works. I arrive on this page https://nom-de-domaine/wp-admin/admin.php?page=elementor-app&ver=3.5.5#/site-editor/templates.

Do you have a fix for this problem?
Thank you in advance for your help.

How do you go about allowing the Google Recaptcha scripts. I am getting CSP conflict with https://www.gstatic.com/recaptcha/releases/BycHQdSIhzR_1EcOLw2mOzYQ/recaptcha__en.js

When I add the full url or any even https://www.gstatic.com, it creates a loop of errors about the site key

Hello,

I was using your plugin for months and worked fine. Today I have updated some configurations (in the plugin) and now I can not keep it active. Each time I install the plugin I get a 502. How could I remove all info from your plugin directly to the database? I want to install it again from the scratch.

regards,

Warning: Invalid argument supplied for foreach() in /homepages/20/d34869179/htdocs/AM/wp-content/plugins/gd-security-headers/core/admin/options.php on line 24

Warning: Cannot modify header information – headers already sent by (output started at /homepages/20/d34869179/htdocs/AM/wp-content/plugins/gd-security-headers/core/admin/options.php:24) in /homepages/20/d34869179/htdocs/AM/wp-includes/pluggable.php on line 1340

Wordpress V 5.8.3

Paypal and Statcounter are common third party services. Paypal is a pretty simple add. I think you just need to permit an image object.

https://www.paypalobjects.com/webstatic/mktg/logo/AM_mc_vs_dc_ae.jpg

But I can’t figure out statcounter. I added https://*.statcounter.com to my script-src, But scripts are still being blocked.

https://secure.statcounter.com/counter/counter.js

Though this feature was added in version 1.4, I cannot find it anywhere in the settings and it seems from the CSP log I need them for “self”.
So where can I find this option in the settings? I am using version 1.5.

Thanks in advance and kind regards,
Michel

So first, I love that this plugin sets up good default CSP settings out of the box without users having to set a bunch of sensible WP defaults (like allow unsafe inline/eval) etc.

Now the less good parts… in spite to of working out of the box, the UI is overly complicated and confusing. It feels very “non-wordpress” and is just down right hard to navigate.

So maybe I just can’t find it, but I _really_ don’t want CSP reporting to my already over burdened and high traffic server. I really want to reporting back to report-uri.com where I’ve already got a bunch of filters and rules setup.

Can the reportto uri be changed? If so, I can’t find it. If not, it renders this plugin unusable to me.

I can’t seem to solve this problem in any way:

The Content-Security-Policy directive name ‘s.w.org’ contains one or more invalid characters. Only ASCII alphanumeric characters or dashes ‘-‘ are allowed in directive names.

But this directive is not specified anywhere. Is it possible that there is a bug in the plugin?

• This topic was modified 3 years, 5 months ago by advertino.

Hi guys!

I can’t find the problem. My website is connected to Cloudflare. When viewing the logs, I see sometime an error 403. How to fix this?

csp-report	{…}
blocked-uri	"data"
document-uri	"https://thaimotorent.com/bangkok-scooter-rental/"
original-policy	"default-src 'unsafe-inline' 'unsafe-eval' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://script-src 'self' https://ajax.cloudflare.com; img-src 'self' https://*.gravatar.com; style-src 'self' 'unsafe-inline' data:; connect-src 'self'; font-src 'self' data:; object-src 'none'; media-src 'self'; frame-src 'self' data:; child-src 'self' data:; upgrade-insecure-requests; report-uri https://thaimotorent.com/?gdsih-csp-report"
referrer	"https://thaimotorent.com/"
violated-directive	"img-src"

• This topic was modified 3 years, 5 months ago by advertino.

Thank you for your plugin.
I see in my reports some blockage on child-src (stripe.js and google.com) although I have set a child rule for them. I also cannot find this child-src rule in the /Header page.
The Connect rule doesn’t show up either.
Is it normal?
Thank you.

I’m not sure how to fix this warning in GD Security Headers, is it possible please?

Not sure what setting to change to allow Google Maps and Instagram images to appear?

Hi,
Content Security Policy / Auto Source Rules :
> When I check the checkbox “Data Rule”, “data:” is added into the .htaccess file. But when I check the checkbox “Blob Rule” or “Mediastream Rule” or “FileSystem Rule”, “blob:” isn’t added into the .htaccess file. I must manually add ‘blob:’ as a custom rule … Is it a bug ?

Love the plugin. Makes life way better.

Looking at the CSP reports I keeps seeing things from media-src and script-src-elem

When I view the headers, it seems media-src is not even printed in there are all even though it is in the settings.

The script-src-elem is not even in the settings for me to add stuff too.

I can add these manually, but just letting you know of the issue I am having.