Browser Caching breaks Child Theme Headers.
-
I have a child theme containing a block of code designed to add various security headers. Whenever I enable WP-Fastest-Cache, they are not included in the header.
function security_headers() { header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); header('X-Frame-Options: SAMEORIGIN'); header('X-Content-Type-Options: nosniff'); header('Referrer-Policy: same-origin'); // etc... } add_action( 'init', 'security_headers' );
-
I think I found the issue:
wpFastestCache.php>ln1536:
$response = wp_remote_get($url, array('user-agent' => $user_agent, 'timeout' => 10, 'sslverify' => false, 'headers' => array("cache-control" => "no-store, no-cache, must-revalidate, post-check=0, pre-check=0")));It looks like you are explicitly defining the headers to enable the cache control in a way that is replacing the page’s HTTP headers instead of appending to them. This can create security issues that most WP developers would miss because it can strip out a wide range of headers that other plugins try to add designed to prevent various kinds of XSS and MiM attacks which are often required to meet certain cyber security compliance standards like HIPPA and PCI.
To fix this, I would suggest using wp_get_http_headers() to first collect HTTP headers from the original page load, then pass them in addition to headers you need to include in your wp_remote_get call.
- The topic ‘Browser Caching breaks Child Theme Headers.’ is closed to new replies.
