HSTS is active but securityheaders.com do not detect it

  • Hello, i have some domains that are reported as follow by securityheaders.com :
    Strict-Transport-Security : ok
    Content-Security-Policy : NOT ok
    X-Frame-Options : NOT ok
    X-Content-Type-Options : NOT ok
    Referrer-Policy : NOT ok
    Permissions-Policy : NOT ok

    Every one of them have Headers Security Advanced & HSTS WP active with the following params that works for my other domains…
    max-age : 63072000
    enable include subdomain : ON
    CSP headers content : upgrade-insecure-requests;
    CSP report URI : (void)
    Permissions Policy Contents : (void)

    All these have the same params, but not the same results… i don’t get it. We use everywhere the same WP cache plugin (wp Rocket), could that be the problem ?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Andrea Ferro

    (@unicorn03)

    hi @contreforme,

    I’m Andrea, I’ll help you with your request and thank you for the topic.

    Tell me if I understand correctly: on other sites you don’t see this problem, but on a specific domain you do? Obviously you are using the parameters above. Which I confirm are correct

    This allows me to rule out some mistakes

    • This reply was modified 1 month, 2 weeks ago by Andrea Ferro.
    Thread Starter Contreforme

    (@contreforme)

    Hi Andrea,

    Yes this is exactly the case : some domains are A+ and others are D with both the same configurations…
    I noticed on some domains that the WP Rocket cache plugin was interacting with the scan, it was D before i emptied completely the cache and A+ afterward, but not always and not for long either.

    This is very intriguing to me because i dont’t see why that should be as, as far as i understand, HSTS only deal with .htaccess and shouldn’t be concerned with content.

    Thanks for your time

    Hi, Contreforme,

    I experience the exact same behaviour on my sites. After an initial hooray with the fresh install and activation of the plugin, the scores have all dropped to a C or even D on each and every site.

    Olaf

    Genau das gleiche Problem habe ich hier vor über 4 Monaten schon geschrieben, aber es gibt immer noch keine L?sung und eine Antwort auf meine letzte Frage ist auch schon seit fast 4 Wochen überf?llig.

    Andrea wollte ja was testen und ausprobieren, aber hat anscheinend noch keine L?sung gefunden.

    https://www.ads-software.com/support/topic/probleme-mit-wp-rocket-2/#post-17950079

    Thread Starter Contreforme

    (@contreforme)

    Thanks @midway88 and @dgu19822 i feel less lonely ??

    Let’s hope @unicorn03 will get back to us with a solution, or at least a hint for some clues. I wouldn’t mind digging a bit on my own but right now i quite don’t know where to start…

    Best

    Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @dgu19822 @contreforme

    Thank you for your updates, yes I have tested several solutions as well as fixing fixes of other threads.

    I want to tell you that I am not avoiding the answer but on the contrary I am looking for a more reliable solution because I prefer to offer you a 100% working solution shortly I will update you here.

    Thank you very much for the open threads and for understanding me

    Thank you, Andrea, I have faith in your capabilities. After all, I get this service for free, and I am happy about the whole package. It’s just that we rely on your words, and you set the mark there pretty high yourself.
    Thanks again, and keep up the fine work!

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.