content security policy not working when cache is on
-
Hello everybody,
I’m trying to fix my content security policy and I’m having some troubles.
My website is : https://www.megasecureurope.com
My security content policy is placed in a file headers.php placed on the root :
<?php $security_policy .= "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.youtube.com https://s.ytimg.com https://ajax.googleapis.com https://*.megasecureurope.com https://*.megasecureurope.com"; $security_policy .= "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com http: https: *.megasecureurope.com; "; $security_policy .= "font-src 'self' data: https://fonts.gstatic.com http: https: *.megasecureurope.com; "; $security_policy .= "img-src 'self' data: https://i.ytimg.com/ https://www.google-analytics.com https://*.wp.com https://www.remarpro.com https://ps.w.org https://*.gravatar.com https://www.catnat.net/ https://www.catnat.net/ https://*.megasecureurope.com https://*.megasecureurope.com"; header( 'Cache-Control: no-cahe, max-age=0, must-revalidate'); header('X-UA-Compatible: IE=edge'); header('X-Frame-Options: SAMEORIGIN'); header('Content-Security-Policy: ' . $security_policy); header('X-Content-Security-Policy: ' . $security_policy); header('X-WebKit-CSP: ' . $security_policy); header('X-Content-Type-Options: nosniff'); header('X-XSS-Protection: 1; mode=block'); header( 'Strict-Transport-Security: max-age=16000000; includeSubdomains; preload;'); header_remove('Last-Modified'); header_remove('X-Powered-By'); header_remove('ETag'); header_remove('Link'); ?>
and i’m doing an include in the header.php of my theme file (I have PHP running with CGI, so I can’t use htaccess):
<?php include('/home/clients/#####/web/headers.php'); ?>
When WP super cache is OFF, everything goes well and all my security headers are on (test on https://securityheaders.io).
The problem is, when I’m turning on WP super cache all the security header is gone.Do you already have such problem ?
What can I do to fix this problem ? Maybe there is a way to override something ?Thank by advance for you help !
Nicolas
- The topic ‘content security policy not working when cache is on’ is closed to new replies.