“Missing security headers” on WordPress Site Health page

  • Resolved doffine

    (@doffine)


    4 years ago

    Hey Really Simple SSL team,

    I just installed your new version 4.0.0 and saw the redesigned user interface. One of its most prominent goals seems to be to move users to buy your premium plugin version more than before. Well, you may have every right to do so.

    But then we find your new “Missing security headers” note on the WordPress Site Health page. There you show features one should enable that are 100% premium features of your paid plugin.

    What you do in your own interface sure is more your thing. But I don’t think that WordPress set up the Site Health page as an advertising area for premium versions of free plugins.

    How can one get rid of this Site Health page note without buying your premium version?

    Don’t get me wrong. I really like your plugin, I am a user for many years and I understand that you try to refinance your work. But this note clearly seems to be too intrusive to me. At least one should be able to get rid off it forever with one click or one checkbox.

    What world would it be if every free plugin author would take the same way and make the Site Health page to a marketplace for ads? Then I’ll have 20, 30, … entries in this page I cannot get rid off without buying their premium plugins. That cannot be. I have never seen something like this before on this page and our agency uses several hundrets of different plugins in 200+ WordPress installations.

    Greetings,
    -doffine

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @doffine,

    Thanks for you input. I agree with you. Our usual practice is to offer users the option to do it themselves, and as alternative give an option to upgrade.

    This first option is missing on this page, which is not how it should be.

    To get get rid of the notice, you can select on ore more of the following headers to add to your .htaccess:

    Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block"'
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set X-Frame-Options "sameorigin"
Header always set Content-Security-Policy "upgrade-insecure-requests"

    I will update the article accordingly.

    Let me know if that works for you.

    mfarmerhi

    (@mfarmerhi)

    Add those in *WHERE* in .htaccess!?

    Because adding them in anywhere – from the beginning to inside your RS SSL coding to tacking on the end – resulted in a 500 error.

    Honestly, rather than upgrading to pro… I think it’d be easier to just delete the plugin and move on to something that’s not hell bent on trying to separate me from my $$$

    mfarmerhi

    (@mfarmerhi)

    Regarding (copied verbatim):

    Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block"'
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set X-Frame-Options "sameorigin"
Header always set Content-Security-Policy "upgrade-insecure-requests"

    Wild goose chase: the apostrophe [‘] renders your suggested changes unusable.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Sorry about the apostrophe. A copy paste error. Without apostrophe, for community purposes:

    Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set X-Frame-Options "sameorigin"
Header always set Content-Security-Policy "upgrade-insecure-requests"
    Thread Starter doffine

    (@doffine)

    @rogierlankhorst,

    first thanks for coming back.

    We don’t want to change the .htaccess even with only one of these lines just to get rid off your plugin’s notification in the Site Health page.

    We just want that your plugin doesn’t push this notification into WordPress’ Site Health page.

    Or at least it should be possible to switch that off via a setting in your plugin or via a filter.

    Again: We are a web agency maintaining 200+ completely different WordPress installations with several hundrets of different plugins. Not a single one of them uses the Site Health page in this way.

    To be precise: Every single of our 200+ Site Health pages show the check mark and 0 problems to be solved.

    Now every single Site Health page shows just your note and we simply don’t want to upgrade to premium and also we don’t want to add only a single line to the .htaccess. The .htaccess are exactly as they should be. We won’t change them only to silence your plugin.

    It would really be more than enough if your plugin would inform the admin on your own plugin pages about these additional possible security features and not to hijack the Site Health page for ad purposes. I would be interested in what www.remarpro.com staff would say to this behaviour.

    So what can we / you do here to solve that. We else really would consider removing your plugin and replacing it.

    Greetings,
    -doffine

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Hi @doffine,

    We are releasing a maintenance release today where you can use the “dismiss all Really Simple SSL notices” to dismiss the notice (4.0.2).

    Thread Starter doffine

    (@doffine)

    @rogierlankhorst,

    thank you very much. That is a solution we can live with.
    Unfortunately the solution currently has a bug. We’ll open another thread for this.

    This one here is resolved.

    Greetings,
    -doffine

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    Hi @doffine,

    Ah, I see the problem. We’ll release a fix tomorrow. Thanks for reporting it.

    Thread Starter doffine

    (@doffine)

    @rogierlankhorst,

    ok then. Thank you very much.

    I reported this bug with detailed information in this forum but the new thread didn’t get published so far. So don’t be surprised that I “will be” reporting it again here, if it should appear here after all.

    Greetings,
    -doffine

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘“Missing security headers” on WordPress Site Health page’ is closed to new replies.