misposted…cannot find how to delete this thread.
]]>Hello and thank you for this great plugin!
I am setting up the Content Security Policy, and is wondering if there is a manual for this?
In my previous plugin for setting Content Security Policy, I had to first set it in Learning mode, so that it would learn about which exceptions it should add to the policy. Then I could enforce the policy.
I tried setting the HTTP Header plugin Content Security Policy to Report only, but I could not see anything added to it after using all the functions on my website.
Which is the proper way to set up the policy?
Thank you!
Best regards,
]]>Hello, all – I’m trying to figure out why HSTS is only applied to .php and .HTML files. My security auditors are failing the site as .css is still unprotected.
location ~* .(php|html)$ {
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;
}
In the ‘location’ was not included, every file would be covered, as I understand. It looked like I could edit this (manual setup) but I couldn’t make any changes.
Anyone know what I’m missing, here?
Thank you!
]]>Hello Dimitar!
I’m trying to fine tune expires on my site and set it all = 1 day for testing reasons. see screenshot
In your inspect headers page everything is ok – see screenshot
but when I check the expires in Firefox inspector I see:
Frontpage, images, php: Expires Wed, 11 Jan 1984 05:00:00 GMT
js: Expires Thu, 31 Dec 2037 23:55:55 GMT
css: no expires at all
(see screen examples below)
What should I do to set the expires properly?
Thanks in advance!
Hi,
I just installed HTTP Headers for the first time. Then I proceeded to set up CSP header. Afterwards the site did not load properly anymore and I am not able to change CSP settings. I have to deactivate HTTP Headers, and cannot reactivate it to change the settings, so HTTP Headers is now lost to me.
How can I fix it? And are there recommendations for proper CSP settings?
Thanks!
Ralf
]]>Whenever I have this plugin activated, it prompts this warning in the Post SMTP plugin settings:
“Postman: wp_mail has been declared by another plugin or theme, so you won’t be able to use Postman until the conflict is resolved.”
This happens even with none of the headers turned on. I also did a search of your plugin’s files and foundn no reference to the wp_mail function, any idea why this is happening?
Thanks.
]]>The tittle says all. I don’t know how to configure that section so I don’t screw up. Help? ;(
]]>I’m just trying to find out what file the plugin puts the headers in when you use php to send headers because I’m using nginx so htaccess doesn’t do anything for me.
Thanks.
]]>Hello Community,
I installed the HTTP Headers plugin and then wanted to add custom headers to resolve content-type problems with many images that I recently uploaded. After adding the custom headers and upon clicking save, the website broke and since then I can’t access the WP dashboard for the website nor the frontend of the site. I have tried renaming the plugin on my FTP server to disable the plugin but that did not help. I can’t for some reason locate my .htaccess file in my root directory to make any changes there. How can I resolve this issue and regain access to my website?
Thanks for the suggestions in advance
Regards,
Rahul
]]>I’m using this plugin on a site where PostSMTP is used to send mails more reliably. HTTP Headers stops the plugin from using its own mailing function.
Postman: wp_mail has been declared by another plugin or theme, so you won't be able to use Postman until the conflict is resolved.
More info that may help - /[...]/wp-includes/pluggable.php:174
Here’s what I think is happening after a bit of research:
PostSMTP checks function_exists ('wp_mail') in post-smtp/Postman/PostmanWpMailBinder.php before defining the function with their own mailing code. The standard WordPress mailing function does the same in wp-includes/pluggable.php, so if no plugin defines wp_mail with their own code before pluggable.php, the standard function is declared.
However, HTTP Headers seems to load pluggable.php before PostSMTP runs, so it defines the standard wp_mail and PostSMTP cannot overwrite it. This happens in http_headers_option($option) in http-headers.php:
require_once ABSPATH . WPINC . '/pluggable.php';Is this something you can fix or provide a workaround for? Thanks!
]]>Hello,
I recently installed a new header on my site (nickpanico.com) using the HTTP Headers WordPress plugin, and now it requires a username and password. I entered all the credentials I knew, but I still cannot access my WordPress site’s front end and admin view.
How can you help me remove this header? Please provide me with the credentials to enter my site and instructions on removing this header that requires me to log in. What is the name of this header? Please help ASAP!
(Please see screenshot link here)
Regards,
Nick
]]>Hello!
I want to know if I can use the Content Security Policy settings to allow certain third party scripts to run from certain domain? E.g.:
Thanks ??
]]>Please make sure the following file has write permissions:?/home/smartshopsolutions/htdocs/smartshopsolutions.shop/.htaccess
how to fix it i use cloudpanel Hosting
]]>Hi there,
I installed the plugin but it is not working when the method for sending headers is set as “Use Apache(mod headers) to send headers” inside Advanced Settings. It works if I select “Use PHP to send headers” which is deprecated now.
Please help
Thanks
]]>Hello, as I show in the attachment, my website rejects requests by Microsoft Clarity. I set Access-Control-Allow-Origin and Cross-Origin-Resource-Policy to solve this issue, but the result is the same, I wonder where I am making a mistake?
I have activated and setup HTTP headers however on the scan here: https://securityheaders.com & Really Simple SSLSecurity Headers Scan, the following headers which I have enabled are still not showing up:
Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy, HTTP Strict Transport Security, X-XSS-Protection
These are detected:
Strict-Transport-Security & X-Content-Type-Options are being picked up.
I tried disabling WP Super Cache in case it was stripping the headers but it didn’t fix it.
Any ideas why this headers aren’t working?
Many thanks
Alex
]]>Hello,
I use HTTP Headers along side an email delivery plugin called “POST SMTP”, https://www.ads-software.com/plugins/post-smtp/
If your plugin, HTTP Headers, is active, the settings page of the “POST SMTP” plugin shows a warning like:
“
Postman: wp_mail has been declared by another plugin or theme, so you won’t be able to use Postman until the conflict is resolved.
More info that may help – /path/wp-includes/pluggable.php:174
Please notice
Post SMTP v2 includes and new feature called: Mailer Type.
I recommend to change it and TEST Post SMTP with the value PHPMailer.
ONLY if the default mailer type is not working for you.
“
If HTTP Headers is inactivated – the above warning is gone.
I don’t know of any reason why your plugin will use the mail function of WP.
Can you look into this?
]]>Good morning team,
Should I use this plugin when I use Clouflare (with SSL Full) ?
I also go through Cloudflare to activate HSTS, with the plugin isn’t it also good to add it ?
Thx to you !
]]>I’d appreciate if these code changes can be made and released as a new version. I tried to update SVN but i have no access, otherwise i’d be happy to.
Problem: WP Rocket and HTTP Headers plugin dont play together, the header’s are never returned. This is because WP Rocket creates a .html cache file and a .html_gzip file.
-rw-rw-r-- 1 1001 root 143720 Oct 30 11:39 index-https.html
-rw-rw-r-- 1 1001 root 24560 Oct 30 11:39 index-https.html_gzipSolution: Change regex to support html_gzip
http-headers.php lines 878 and 1107
878: - array('location ~* \.(php|html)$ {'),
878: + array('location ~* \.(php|html|html_gzip$ {'),
1107: - array(' <FilesMatch "\.(php|html)$">'),
1107: + array(' <FilesMatch "\.(php|html|html_gzip)$">'),Hi,
i try the Custom headers below but do not work:
Header
Link:
Value<https://www.example.com/manifest.txt>; rel="prefetch"
Please advice how to use this plugin and make it work?
]]>Content Security Policy andfeature-policy
I don’t know how to choose the settings in these two sections
The site crashed several times, but I fixed it with Bakab, please help me
https://securityheaders.com/?q=https%3A%2F%2Fwww.auction-savvy.com&followRedirects=on
]]>on LiteSpeed server, I have input settings via plugin and multiple security scans have returned errors stating the following even though htaccess has the code in it:
YES Content-Security-Policy
YES X-Frame-Options
NO Strict-Transport-Security
NO X-Content-Type-Options
NO Referrer-Policy
NO Permissions-Policy
Host states they cant do anything so is this plugin compatible with litespeed server and if so what is the fix to get it working?
]]>I’ve used the Plugin to include HTTP Headers for X-Frame-Options, X-XSS-Protection, Strict-Transport-Security and Content-Security-Policy.
The Plugin states in the Dashboard that the Headers are installed succesfully, but the Inspect Headers Functions comes back negative as well as external scanners like mozilla observatory.
I’ve checked the .htaccess manually and as far as I can see the headers are there.
Any suggestions on why this isn’t working?
]]>Hi @zinoui
I just noticed after version 1.18.10, the function to Import/Export functions setting has been removed. This function was really helpful for all of us whose has lots of sites. Is it possible to bring back this function?
]]>Hello, I’m trying to update my security policy using the HTTP Headers plugin. I’ve set the value of X-Frames-Options to “Deny” but it’s still showing up as “SAME ORIGIN”. The same thing is happening with my content security policy. img-src is showing up as “*” instead of “self”.
Does anyone know of another plugin that has the same features as HTTP Headers? Or can I just edit the PHP file directly to make the changes?
Thanks!
]]>Wordfence has reported SQL injection on the plugin version 1.18.9
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/http-headers/http-headers-1189-authenticatedadministrator-sql-injection
Wordfence are reporting a vulnerability with the latest version: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/http-headers/http-headers-1189-authenticatedadministrator-sql-injection
]]>Me and our team were in a hurry and having trouble creating a 100% SSL score, so we resulted to using this plugin to add security measures. According to really simple ssl they said that there was a lot of missing headers and parts for the ssl. I found the inspect headers tab that was showing the missing headers. I thought to myself these are all the essential headers you need to have good ssl score. So I started turing each one on one by one untill i ddint even notice a password and user name field for www-authenticate. I unknowlingy didn’t type any password or username, turned it on and pressed save changes. Afterwards i could acsess wordress admin dashboard at all anymore. We have ascess to the files through the server and we dont know what do do at all. Please help.
]]>Does it support control cookie please? and any online tutorial?
Thanks
]]>Hi there. We are using this plugin on our website, but when we check Page Insights, it throws a warning about the Chat plugin we are using.
I’ve setup the feature but it still throws the warning.
https://www.79design.org.uk:1:0Access to script at ‘https://embed.tawk.to/5cefd243267b2e5785302a08/default’ from origin ‘https://www.79design.org.uk’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
https://snipboard.io/DW7KaQ.jpg
Can you help please?
]]>