The test returns that HSTS requires “subdomain” and “preload” directives enabled. However, in the plugin settings it sounds like they should be activated only if the site is on https. Mine is, so why I get a “No HSTS header is present” error whereas I had a A+ result before?
Moreover, it degraded from A+ to D and mentions that inclusion in the preload list has permanent consequences and is not easy to undo. So how do I go back to normal now?
]]>Hi Andrea,
your plugin is very interesting and would let me to avoid server-side configurations.
My only difficulty is how to integrate x-xss-protection and referrer-policy. I’ve read that it is possible, but how?
My goal is to set referrer-policy as strict-orogin-when-cross-origin and x-xss-protection as 1; mode=block.
Thanks
]]>Hello, i have some domains that are reported as follow by securityheaders.com :
Strict-Transport-Security : ok
Content-Security-Policy : NOT ok
X-Frame-Options : NOT ok
X-Content-Type-Options : NOT ok
Referrer-Policy : NOT ok
Permissions-Policy : NOT ok
Every one of them have Headers Security Advanced & HSTS WP active with the following params that works for my other domains��
max-age : 63072000
enable include subdomain : ON
CSP headers content : upgrade-insecure-requests;
CSP report URI : (void)
Permissions Policy Contents : (void)
All these have the same params, but not the same results�� i don��t get it. We use everywhere the same WP cache plugin (wp Rocket), could that be the problem ?
]]>Click “Enable preload”, error type E ERROR headers-security-advanced-hsts-wp.php occurred at line 230 of file headers-security-advanced-hsts-wp.php. Error message: Uncaught ValueError: Unknown format specifier ��?�� in headers-security-advanced-hsts-wp/headers-security-advanced-hsts-wp.php:230
Unable to enable Enable preload.
I activated Headers Security Advanced & HSTS WP plugin. However, in the Really Simple SSL status screen, it still says No HSTS Header. What should I do?
]]>HI,
Please help me take a look at these two screenshots. I have made relevant settings, but duplicate headers still appear.
X-Frame-OptionsThere was a duplicate X-Frame-Options header.
X-Content-Type-OptionsThere was a duplicate X-Content-Type-Options header.
Please see two img :
https://prnt.sc/IDR4UwvU4gkI
Hello, Andrea,
thanks for your effort and I am glad that you are really proud on your very useful plugin. Still: the issue with the warnings for duplicate headers, that have been reported many times by a lot of users by now, remain unchanged. And for every instance of the plugin that I have installed.
This leaves me with very mixed feelings: I do not want to drive out one evil by inviting in another one, so to metaphorically speak. Thank you, keep up the good work and I hope you will finally sort this out!
]]>Hi!
I am using the Gravity Forms PayPal Checkout AddOn which is officially supported by GravityForms. When trying to do a payment in Chrome it fails, the console indicates a Permission Policy Violation. Is it possible to add support for the Gravity Forms AddOn here?
The payment can be easily done when the plugin is disabled.
The payment also works fine when using Safari.
Hello
In the main file of the plugin I see this line:
add_action('wp_loaded', 'hsts_plugin_flush_rewrite_rules');
Here the function that is called at every page load:
function hsts_plugin_flush_rewrite_rules(): void {
global $wp_rewrite;
if ( $wp_rewrite instanceof WP_Rewrite ) {
$wp_rewrite->flush_rules();
}
}
This means every time you visit a page the flushes the rewrite rules. This is a big loss in terms of performance.
Why are you doing that without any conditions? Is it a way to flush the rewrite rules only when you need it? For example on plugin activation?
Thank you.
Have a great day!
Jose
Hi,
I have a video which is playing in the background. For some reason now it is not showing and I receive these errors. When the CSP Header Contents is “upgrade-insecure-requests;” I receive the error:
[Error] The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
[Error] The Content Security Policy 'upgrade-insecure-requests;' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
but when it is on “object-src ‘none’; upgrade-insecure-requests;” i receive the error :
[Error] The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
[Error] The Content Security Policy 'object-src 'none'; upgrade-insecure-requests;' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
I have enabled max age (63072000), Subdomains, Preload, Disable (X-Content-Type-Options).?Disable (X-Frame-Options). We are behind CF.
]]>View post on imgur.com
How to follow a compliance from serpworx
]]>Unfortunately, your plugin causes an issue with my Youtube videos on my Elementor Pro website. Visitors have to click the video twice before the video will play when I enable your plugin.
I would like to use your plugin again as I do like it. For now, I’ve had to disable your plugin.
Is it possible for you to fix the need to click a video twice in order to play it when your plugin is enabled?
Thank you.
Monica peck
Greetings, I love your plugin, I have contributed for your great work!
On the sites that I updated today to 5.0.37, I am getting a warning in the search console:
“The Content Security Policy directive ‘upgrade-insecure-requests’ is ignored when delivered in a report-only policy.”
I checked a couple of sites that I have not upgraded yet and they are not seeing this error. Don’t know how important this is, but thought you should know.
Happy to beta test anything.
https://www.ads-software.com/plugins/sentinel-headers-unlimited-extension/
Hi, thanks for your plugin, but don’t you think we need to explain the difference between these two plugins? Or discontinue the other one since it doesn’t have many active installations anyway?
This confuses me.
Should I use this one or the other?
For some reason the rules are not being saved in the .htaccess file
]]>Hi, are with able to populate the report-to information via the plugin? If not, is this a feature in development?
Many thanks!
]]>Thank you for a great plugin!
We had an issue since updating to the latest version 5.0.36 on our woocommerce site, with the Stripe plugin “Payment Plugins for Stripe WooCommerce”. All of a sudden, the stripe credit card fields don’t load.
The console was showing these error:
“Access to fetch at ‘https://stripe.com/cookie-settings/enforcement-mode’ from origin ‘https://posterprintshop.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.”
“POST https://api.stripe.com/v1/consumers/sessions/start_verification 400 (Bad Request)”
When we deactivated your plugin Stripe credit card fields were consistently showing up again.
Any idea what could have caused this, and if there are any settings we can set to keep your plugin active while still avoiding the Stripe checkout problem?
]]>Hello, I appreciate the efforts you’re doing.
I am facing an error in chrome console which is as next :
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'attribution-reporting'.
Error with Permissions-Policy header: Unrecognized feature: 'battery'.
Error with Permissions-Policy header: Unrecognized feature: 'compute-pressure'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.
Error with Permissions-Policy header: Unrecognized feature: 'otp-credentials'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'private-state-token-issuance'.
Error with Permissions-Policy header: Unrecognized feature: 'serial'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'shared-storage'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'shared-storage-select-url'.
Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'private-state-token-redemption'.
Error with Permissions-Policy header: Unrecognized feature: 'usb-unrestricted'.
Is there any solution for this please ?
]]>Hallo,
Es gibt ein Problem mit Headers Security Advanced & HSTS WP Version 5.0.36 - Das Plugin ist aktiviert und auf dem aktuellsten Stand.
Lasse ich online pr��fen, ob die Security Header funktionieren, dann bekomme ich nur eine Fehlermeldung.
Ich habe einmal alle meine anderen WP-Plugins deaktiviert und bin bei WP-Rocket f��ndig geworden.
Ist WP-Rocket deaktiviert, funktioniert Headers Security Advanced & HSTS fehlerfrei.
Ist WP-Rocket aktiviert, so werden keine Security Header in WP angezeigt und/oder eingef��gt
Somit funktioniert das Plugin Headers Security Advanced & HSTS mit WP-Rocket nicht fehlerfrei.
Bitte beheben Sie das problem, da ich ungerne auf Headers Security Advanced & HSTS verzichten m?chte.
Gr��?e
Hello,
There is a problem with Headers Security Advanced & HSTS WP version 5.0.36 - The plugin is activated and up to date.
If I check online whether the security headers are working, I just get an error message.
I once deactivated all my other WP plugins and found what I was looking for at WP-Rocket.
If WP-Rocket is deactivated, Headers Security Advanced & HSTS works without errors.
If WP-Rocket is activated, no security headers will be displayed and/or inserted in WP
This means that the Headers Security Advanced & HSTS plugin does not work correctly with WP-Rocket.
Please fix the problem as I don't want to miss out on Headers Security Advanced & HSTS.
Greetings
]]>
We have three pages that use an embeded script code from https://easydmarc.com/ and no matter what we try to do to allow it to work we get this error. Any help would be greatly appreciated.
]]>As my ‘site diagnosis status’ states the below warnings, I’ve installed the ‘Headers Security Advanced & HSTS WP’ plugin. In the settings of the plugin I entered (Max-age) and enabled the advised settings (Include Subdomains & Preload) + saved this.
But the Site diagnosis status stays the same … the plugin didn’t solve the problem. Please advise.
Not all recommended security headers are installed
Security
Your site is not sending all recommended security headers.
Upgrade Insecure Requests
X-XSS protection
X-Content Type Options
Referrer Policy
X-Frame-Options
Permissions Policy
HTTP Strict Transport Security
Is there a way to only use report-only CSP until we’re ready to fully turn on the CSP rules?
We have quite a few items to resolve before enabling CSP and would like to only use report-only until we are ready to enforce the rules.
]]>For the developer’s awareness.
This might not be a plugin issue, but a Localwp issue. I’ve opened a ticket with Localwp.
_________________________
Upon installing the WPdistrib distribution locally using localwp.com software, the “Headers Security Advanced & HSTS WP” plugin generates a critical error in both the backend and frontend. Deactivating the plugin resolves the issue. An investigation is underway to determine the exact cause of the error. It is noteworthy that this issue has not been observed on XAMPP, another popular local server solution, nor on multiple hosting platforms. This suggests that localwp is likely the culprit, potentially due to a misconfiguration of PHP or other factors.
]]>Hey guys,
This looks like a great plugin. If I wanted to run this, would I need any other additional security plugins together with this, or is your plugin a ‘one-stop-shop’?
Thanks, Jo
I had an issue with this plugin. AIOSEO and Jetpack couldn’t get access to the Rest API, and everything was disabled due to it(couldn’t update pages or post in the blog). Upon disabling this plugin, it worked again. I don’t know if there is an option I should check or not.
]]>I get an error message every morning from Malcare…. I was researching a way you fix the issue and your plugin was recommended but it is already installed on my site for quite some time. Do I need to change the settings?
#WordPress Core All Versions – Unauthenticated Blind Server-Side Request Forgery vulnerability
-Vulnerability type: Server Side Request Forgery (SSRF)
-No Update Available
Hi I was wondering if there’s a way to avoid ‘unsafe-inline’ and ‘unsafe-eval’ within the ‘script-src’ and ‘style-src’ rules? I custom generated header rules using the Chrome/Firefox extensions listed but broke the site without having the ‘unsafe-inline’ and ‘unsafe-eval’
Appreciate your help in advance!
I’m excited to announce the launch of version 5.0.36 of the Headers Security Advanced & HSTS WP plugin, a significant update that heralds a broad array of improvements and new features. This update marks a crucial milestone in my ongoing commitment to innovation and security, ensuring that the Headers Security Advanced & HSTS WP plugin remains cutting-edge and fully compatible with the latest WordPress 6.5.
Extended Compatibility with WordPress 6.5
I’ve thoroughly tested and optimized this new version to guarantee full compatibility with WordPress 6.5, allowing you to take advantage of the latest features and enhancements offered by WordPress without any compatibility issues or performance setbacks.
Bug Fixes
In this update, I’ve focused on identifying and fixing various bugs present in previous versions. This effort aims to provide an improved user experience, enhancing the stability and performance of the plugin.
New feature: Resolving duplicate headers.
One of the significant additions in this release is a feature designed to address the problem of duplicate headers on SecurityHeaders.com. This enhancement is critical for users who wish to resolve the warning of some duplicate headers in one click, offering an effective solution to ensure that security headers are configured correctly.
Why upgrade?
The update to the version 5.0.36 plugin Headers Security Advanced & HSTS WP is not only recommended, but is essential to maintain the security, performance and compatibility of your site with the latest innovations of WordPress. With this update, I reaffirm my commitment to providing you with a reliable and advanced tool for managing your website that is accessible to everyone without distinction or cost.
Support and Feedback
Your feedback is invaluable to me, and I encourage all users to share their experiences with the new plugin version through our support forum or email. Your input helps me to continue improving and delivering the best tools possible for your online experience.
Thank you for your ongoing support and trust in the Headers Security Advanced & HSTS WP plugin. Happy updating!
]]>I have a domain https://quezoncity.gov.ph/
and a sub domain https://staging.quezoncity.gov.ph/
I have an issue, on my domain(prod) the plugin is activated but when I scan to Mozilla Observatory the HSTS is not present in the header it say.
But on my sub-domain(staging) the plugin is activated and the HSTS on Mozilla Observatory is also present.
Can anyone help me finding what is the cause of this issue?