HSTS headers sent twice

  • equynox

    (@equynox)


    8 years ago

    While i was checking my website speed with pingdom tools i discovered something rather strange. The file admin-ajax.php had 2 HSTS headers sent twice (X-Content-Type-Options nosniff and X-Frame-Options SAMEORIGIN).

    Here is the output:

    Response Headers200
DateSun, 12 Mar 2017 21:47:45 GMTContent-Encoding gzip
X-Content-Type-Options nosniff nosniff
X-Powered-ByPHP/5.5.28Connectionkeep-aliveVaryAccept-EncodingContent-Length3862X-XSS-Protection1; mode=blockReferrer-Policyno-referrer-when-downgradeServernginx
X-Frame-Options SAMEORIGIN SAMEORIGIN
Strict-Transport-Securitymax-age=31536000; includeSubdomains; preloadContent-Typeapplication/json; charset=UTF-8Access-Control-Allow-Originhttps://www.ghid-pitesti.roCache-Controlno-cache, must-revalidate, max-age=0Access-Control-Allow-CredentialstrueSet-Cookiepll_language=ro; expires=Mon, 12-Mar-2018 21:47:43 GMT; Max-Age=31536000; path=/ wfvt_1533174094=58c5c201510fc; expires=Sun, 12-Mar-2017 22:17:45 GMT; Max-Age=1800; path=/; httponlyX-Robots-TagnoindexKeep-Alivetimeout=60ExpiresWed, 11 Jan 1984 05:00:00 GMT

    Now i implemented the policies on the server level since i own a VPN running CentOS with VestaCP and have root access.
    I am running NGINX over Apache2 since its Vesta default config.

    I looked in admin-ajax.php code and i noticed that there are 2 functions called related exactly to those headers

    send_origin_headers() and send_nosniff_header()

    Since only to this specific file admin-ajax.php i get these two headers twice i assume its because the policies are declared twice, once in nginx.conf at server level and twice when the functions mentioned above are called. Funny part like i said it only happens to this specific file. The other 284 requests have headers called once.

    And i dont know if because of this problem or just because the file is called too many times by plugins admin-ajax.php loads in over 2.3 sec more than all the other files all together.

    I tried also to comment the 2 functions but i still recieved header twice for sameorigin. No sniff was solved and sent once.

    But still i dont know if its ok to temper with wp core by hacking into admin-ajax.php and disabling those 2 functions because i dont have enough experience and knowledge to predict if i generate more problems.

    I hope i explained the problem quite in details though i apollogize for this long post.

    Please advise!

  • The topic ‘HSTS headers sent twice’ is closed to new replies.