HSTS Header

  • Resolved WebCodePoet

    (@senjoralfonso)


    8 months, 1 week ago

    Hello, I have disabled the HSTS Header in NJFW, but it still loads. But because I set it in NGINX, it now gets loaded twice. Please fix this. ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Do you have any caching application or a CDN that may have cached the headers?

    Thread Starter WebCodePoet

    (@senjoralfonso)

    Hello, no sir, we are using indeed wp rocket, but on the cache delivered pages, the headers are not saved, only on the real time ones it is sent twice (I think because php is not executed on the cache).

    Plugin Author nintechnet

    (@nintechnet)

    How did you check your HTTP headers ? Did you try from a terminal, by running this command: curl -I https://your-site.com
    Did you try to disable NinjaFirewall from the “Plugins” page, and check your HTTP headers to see if they are gone ?

    Thread Starter WebCodePoet

    (@senjoralfonso)

    Hello, I found the problem over ssllabs.com, reviewed it in the browser console and tested with https://securityheaders.com

    “Strict-Transport-SecurityThere was a duplicate Strict-Transport-Security header.”

    If I deactivate Ninja Firewall, the warning seems to be gone.

    Plugin Author nintechnet

    (@nintechnet)

    I tried the site but it cached the results. Can you try either from curl command line, or by clicking the “NinjaFirewall > Firewall Policies > Advanced Policies > HTTP headers test” button ?

    Thread Starter WebCodePoet

    (@senjoralfonso)

    Hey, this is the output:

    access-control-allow-credentials: true
    access-control-allow-methods: GET, PUT, POST, DELETE, OPTIONS
    access-control-allow-origin: *
    cache-control: no-cache, must-revalidate, max-age=0, no-store, private
    content-encoding: br
    content-security-policy: base-uri 'self'; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.domain.com domain.com *.domain.com; style-src 'self' 'unsafe-inline' *.domain.com domain.com *.domain.com; img-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com *.domain.org *.domain.com *.domain.com image.domain.com domain.com *.domain.com *.domain.com; media-src 'self' *.domain.com domain.com; font-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com; object-src 'self' *.domain.com domain.com; child-src 'self' blob: *.domain.com domain.com *.domain.com; manifest-src 'self' *.domain.com domain.com *.domain.com; connect-src 'self' *.domain.com domain.com api.domain.com domain.com *.domain.com domain.org api.domain.org; form-action 'self' *.domain.com domain.com *.domain.de; frame-ancestors 'self'; frame-src 'self' data: domain.com;
    content-type: text/html; charset=UTF-8
    cross-origin-embedder-policy: same-origin
    cross-origin-opener-policy: same-origin
    cross-origin-resource-policy: cross-origin
    date: Wed, 27 Mar 2024 21:45:59 GMT
    expect-staple: max-age=31536000; preload
    expires: Wed, 11 Jan 1984 05:00:00 GMT
    link: https://www.domain.com/wp-json/; rel="https://api.w.org/", https://www.domain.com/wp-json/wp/v2/pages/7703; rel="alternate"; type="application/json", https://www.domain.com/; rel=shortlink
    permissions-policy: trust-token-re
    Thread Starter WebCodePoet

    (@senjoralfonso)

    I am so sorry, I found the problem. The plugin cf7_antispam sets the header, and this got cached in redis…

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘HSTS Header’ is closed to new replies.