When I updated the Kinsta server to PHP version to 8.3, I got bombarded of this error. Can you define what have caused of this?

Warning: Undefined array key “apply_child_override” in?/Users/imd-mbp/Local Sites/nasassets/app/public/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-common.php?on line?73

Is a known issue and will be corrected with the next release.

You will need to have patience for the release, as I am 1 person, and do this for free and in my spare time.

Any demands will be ignored, and if possible… reported.

WordPress version: 6.6.1-de_DE
Security Header Generator version: 5.1.29
Themes: “Responsive” on one website, “ExS Medic” on two other websites

Problem: After logging into my three WordPress self-hosted websites as an administrator, the “Security Headers” menu item in the left menu is no longer visible. This means, that I cannot configure the security headers settings. The plugin worked fine in former WordPress and/or plugin versions.

I enabled debugging in wp-config.php but the file wp-content/debug.log is not created during the log-in. Due to the fact that I cannot open the Security Header Generator no further errors are reported.

Many of these in my log:

PHP Warning: Trying to access array offset on value of type bool in */wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-common.php on line 73

Suggest just replacing
$_opts['apply_child_override'] with (appending a null coalescing operator)
$_opts['apply_child_override'] ?? '' (or any falsey value)

PHP 8.2.22
WP 6.6.1 (multisite)
SHG 5.1.29

Hi there,

I’m trying to configure my security headers with your plugin, and you refer to the Implementation tab to apply the headers, but the Implementation tab is not present? I can see it being available in your screenshots, but for me, it’s not there.

First of all, thank you for the first-class plugin.

Unfortunately, I have a challenge working with the WP Fastest Cahce plugin. If the cache is activated, the security headers are not displayed.
Do you know a solution? Or do you know another chaching plugin that works well with Security Header Generator?

WP 6.4.3
WP Fastest Cache: 1.2.3 and 1.7.0 (Premium)
SHG: 4.1.23

• This topic was modified 8 months, 3 weeks ago by Jonas.

I used WinSCP to run the CLI command “wp csp generate” and it appears to start working before generating the error “invalid file ID”. I checked with Siteground to see if they were blocking it and they ran the same command on a separate client and got the same error.

I’ve reached out to support for WinSCP and they’re miffed as well. Both seem to think this might be an invalid command. They also suggested running it on PuTTY, which I have not done yet because I’m clueless.

All this stuff is new to me and honestly, I can identify most everything that needs to be given permission but have no idea what should be inline or otherwise. Everything mucks up including the Google fonts, which you already have autofilled. It’s why I wanted to use the other option to generate it for me.

Any suggestions on a different client to use and/or perhaps the command is incorrect? I’m stumped.

I host my podcast with Blubbry and the downloads have never been direct. MIME type is correct but the issue is on their end. I noticed you have the option to force downloads instead of opening in a web browser by adding it to my header. I’ve enabled it but to no effect.

I did make an exception for Blubrry in the plugin so their PowerPress plugin displays properly on my website but is there a way to force direct downloads without relying on Blubrry because they have no interest in fixing the problem even though they admit to the issue?

WordPress Version 6.3.2
Security Header Generator Version 4.0.01
Chrome Version 117.0.5938.152 (Official Build) (64-bit)
Windows 11

I’m using wordpress 6.3.1 with Security Header Generator 4.0.01, when i run “wp csp generate” i get the following error:

Warning: We have started processing the site.  This can take awhile to complete, please keep this window open until it has finished.
Warning: Attempt to read property "ID" on null in /nas/content/live/mywebsite/wp-content/plugins/security-header-generator/cli/work/kcp-cspgen-cli-process.php on line 183
Error: There was an error gathering the resources: Invalid post ID.

my wordpress is hosted on wpengine.com, but i have a standard shell user access.

I’ve enabled WP_DEBUG* on wp-config.php, but i can’t get more datails more than i’ve posted above. MY posts use the Elementor plugin, i don’t know if this could be a problem.

How can i solve the problem? thank you

Hi

I’m working through a pen test report and some file paths have been flagged as not returning a Strict-Transport-Security.

An example;
/wp-admin/load-styles.php

Which is called on /wp-admin/plugins.php and the Response Headers do not return the Strict-Transport-Security rules as defined.

However, I can see this in the response headers of the page itself (i.e. /wp-admin/plugins.php) which returns max-age=31536000; includeSubdomains; preload correctly.

Is there something I can do to solve this? Or am I missing something?

It seems the new emoji detector in WP 6.3 creates a blob as worker-src. Maybe add “worker-src blob:” to “Include WordPress defaults”?

Also: If child-src is deprecated, and fallback is script-src, could it be removed?

Hi,
I’m just considering to use your plugin. First of all, congrats for your work!

I use some specific directives for CSP, like the “report-to” which allows to send the log to endpoints. Is there any way to specificy the report-to? It should apply to CSP, COEP, and COOP.

Thanks for guiding me.

Edit: I noticed that hash, strict-dynamic, nonce, report-sample directives are also missing. I edited the title.

• This topic was modified 1 year, 3 months ago by JCV.

rtrim(): Passing null to parameter #1 ($string) of type string is deprecated in wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php:207

Under Standard security headers –> Enforce certificate transparency: this option should be removed because Expect-CT header is already deprecated.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

Hola, thanks for the plugin.

Just wanted to point out that according to developers dot mozilla dot org, in the Content Securty Policy page, it says that x-content-security-policy is no longer needed, only content-security-policy.

“To enable CSP, you need to configure your web server to return the?Content-Security-Policy?HTTP header. (Sometimes you may see mentions of the?X-Content-Security-Policy?header, but that’s an older version and you don’t need to specify it anymore.)“

Your plugin generates two identical directives under both headers, and the x-content-security-policy output should be removed.

Hope this is useful.

Saludos,

Just wanted to point out something I stumbled across that is getting corrected for the next release.

The implementation tab in the plugins settings are incorrect. I just realized that through most of these released over the last handful of months that I was not updating that section with the rest of the updates… so, the next release will be concentrated on that.

I am hopeful to have that out within the next week.

Today I came across a special error message:

WordPress-Version 6.1.1
Aktives Theme: Twenty Seventeen (Version 3.1)
Aktuelles Plugin: Security Header Generator (Version 3.6.02)
PHP-Version 8.0.28

Ein Fehler vom Typ E_ERROR wurde in der Zeile 701 der Datei /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php verursacht.

Fatal error: Uncaught TypeError: KCP_CSPGEN_Headers::kp_get_generated_csp(): Return value must be of type array, string returned in /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php:701 Stack trace: #0 /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php(408): KCP_CSPGEN_Headers->kp_get_generated_csp() #1 /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php(347): KCP_CSPGEN_Headers->kp_csp_builder() #2 /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php(80): KCP_CSPGEN_Headers->kp_populate_header_array() #3 /homepage/wp-includes/class-wp-hook.php(308): KCP_CSPGEN_Headers->{closure}(Object(WP)) #4 /homepage/wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters(”, Array) #5 /homepage/wp-includes/plugin.php(565): WP_Hook->do_action(Array) #6 /homepage/wp-includes/class-wp.php(561): do_action_ref_array(‘send_headers’, Array) #7 /homepage/wp-includes/class-wp.php(788): WP->send_headers() #8 /homepage/wp-includes/functions.php(1332): WP->main(Array) #9 /homepage/wp-admin/includes/post.php(1245): wp(Array) #10 /homepage/wp-admin/includes/class-wp-posts-list-table.php(165): wp_edit_posts_query() #11 /homepage/wp-admin/edit.php(235): WP_Posts_List_Table->prepare_items() #12 {main} thrown in /homepage/wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php on line 701

I get the error, when clicking on an (internal) link like this:

https://mywebsite.com/wp-admin/edit.php?focus_keyword=key%20word&post_type=post

which is generated by RankMath to check posts, which have the same keyword like the actual post.

It seems, that the error only is caused, when the checked keyword-phrase contains two or more parts. If it is online a single keyword, there is no eror, e.g.:

https://mywebsite.com/wp-admin/edit.php?focus_keyword=keyword&post_type=post

Can I do anything to avoid this error other than not clicking on the link?

Thank you in advance for any hints!

• This topic was modified 1 year, 8 months ago by Stephan Kockmann. Reason: sent too early ... ;-)
• This topic was modified 1 year, 8 months ago by Stephan Kockmann.
• This topic was modified 1 year, 8 months ago by Stephan Kockmann. Reason: updated error-description

Hi, how do I set Content-Security-Policy: default-src ‘self’ example.com *.example.com? Generate CSP -> Default Source (Inline) not working. Thank you for the advice?

I just installed your plugin and after a few minutes of reading and testing everything seems to work fine. Thank you for that!

No when visiting my site, I see for a short moment an error message saying: “Warning: Undefined array key “Permissions-Policy” in /wp-content/plugins/security-header-generator/work/inc/kcp-cspgen-headers.php on line 326“

I’m working on WordPress 6.1.1 and you plugin 3.6.02.

Is it a bug or did I do anything wrong? Thank you in advance for any hint!

Hi, the plugin in seems to cover all the major Security headers, but I can’t see a way to set X-XSS-Protection? Am I missing something? Any help appreciated!

If you have issues and need help, the best way anyone can help you is if you post all pertinent information with your help request.

At the very least, you need to let us know what version of WordPress Core you are on, and what version of the plugin you are on.

Other helpful information is the web browser and version you are using, what OS are you running, and posting a debug.log (https://www.google.com/search?q=how+to+enable+wordpress+debug+log&oq=how+to+enable+wordpress+debug+log&aqs=edge..69i57j0i22i30j0i390.7903j0j1&sourceid=chrome&ie=UTF-8)

If you do not post this information, you are only going to waste time going back and forth with developer who need to be able to test with your environment in order to debug an issue. If enough time passes and you do not reply with the information requested, your “help/support request” is likely to simply get closed without an answer for you.

So… do yourself, and every developer out there a favor… re-read the above…

The plugin has some sort of conflict with Mailpoet. When both are active, WP-AJAX does not work and front-end shows the 500 error.

• This topic was modified 1 year, 11 months ago by tolkodelo.

Our dev site is hosted with WP Engine.

I’ve connected to the site on SSH, cd into the website root, run the command:

wp csp generate

Receive the response:

Warning: We have started processing the site. This can take awhile to complete, please keep this window open until it has finished.

This has been going for about 10 minutes with no further response.

Help appreciated.

Hi

Thank you for the free CSP generator plugin however, seems it did not work

I installed the plugin, login to root and move the website’s root folder, run the command, >> Success

Everyting is ok, clear cache, check at securityheaders.com then nothing

You didn’t have any documents for users, no FAQ too.

Please give more details as possible. I don’t want to give it a low rating because you create it free for the community.

Thank you!

I am a little confused about how this plugin works. I am using ver. 1.9.44 of the plugin with WP 5.8 and Apache 2.4.

My understanding is that the plugin basically gives you a way to determine the directives to put in .htaccess (when using Apache) and the update of .htaccess has to be done manually.

However, I find that when the plugin is active and the various settings have been configured and the CLI command has been run, the response headers are indeed sent, exactly as configured in the plugin, even though there are no directives in .htaccess, which is completely unexpected.

Let me clarify the situation. I add the directives to .htaccess, clear all caches, and test the site (using either Chrome or https://viewhttpheaders.com) to see what headers are being sent. All is well. Then I remove the directives from .htaccess, clear the caches and retest. The headers are still there! Then I deactivate the plugin and retest. Now only the default WP headers are there, not what I configured in the plugin. Re-activate the plugin, but do not put the directives in .htaccess and the headers, as configured in the plugin, are once again being sent.

I am quite sure that there are no other .htaccess files lurking with any of the relevant directives. And there are no other plugins or functions in functions.php that send these headers.

So, have I completely misunderstood how the plugin is working, or is some other strange thing is happening?

Is there a site with more explanatory information about the updates? The laconic phrases in the change log might provide a taste of what changes, but do not really allow for understanding.