Jili 365 casino login registration philippines app,Free slot demo Super Ace.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved xstrych9x
(@xstrych9x)

2 years, 3 months ago

greetings, plugin seems to work amazingly well as i get an A+ on all but one of the 3rd party tests you mentioned on the plugin page. incidentally the client is also reporting that there 3rd party tool is saying no to hsts as well.

https://hstspreload.org/?domain=penchecks.com – not found

any idea why it would not be detected by some tools but be detected by others?

https://geekflare.com/tools/tests/qv79lk2lg – found

any help is much appreciated and thanks for the great plugin!

jason

The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Andrea Ferro
(@unicorn03)

2 years, 3 months ago

Hi Jason, thanks for downloading the Headers Security Advanced & HSTS WP plugin, I am glad you like the plugin.

I am Andrea and I will help you with your issue as quickly as possible, below I will answer your questions:

1) I did a check with hstspreload and I confirm you that I found an issue with the domain scan “penchecks.com”.

response: Error: No HSTS headerResponse error: No HSTS header is present on the response.

2) I confirm you that with the Geekflare tool the HSTS directive for preloading in the list of broswers is recognized.

This is the link where I performed the test (identical to yours):
https://geekflare.com/tools/tests/qv79lk2lg

response: great! HSTS header was found in the HTTP response headers as highlight below.

** I ask if you can confirm that the installed version of the plugin is version number 5.0.04? Is your provider forcing the use of HSTS?

I also found the error you are experiencing with HSTS Preload. Basically the preload is not performed because the declared directive is invalid (strict-transport-security: max-age=31536000).

This is very strange because the Headers Security Advanced & HSTS WP plugin uses that directive for preloading to be more precise the plugin uses (Strict-Transport-Security: max-age=63072000; includeSubDomains; preload).

Don’t worry now we solve everything together in no time ??

TROUBLESHOOTING RESOLUTION:
a) Deactivate the plugin and delete it, once effected this try to reinstall the plugin and save permalinks for safety.

b) If option A had no effect try to confirm that in your .htaccess file you can find the following # Headers Security Advanced & HSTS WP – 5.0.04 and tell me the directive you see with the following name “Strict-Transport-Security”.

I will also leave you the email to get in touch with me even faster [email protected]

Thread Starter xstrych9x
(@xstrych9x)

2 years, 3 months ago

greetings, thank you for the quick response, greatly appreciated!

i followed your suggestions and while at first i was still seeing the odd number you pointed out, i ran it against some client sites also using your plugin and they call came back as you pointed out, so it was definitely something about this particular client, even though they are all even using the same web host.

somewhere an old plugin or something must have been overriding your plugin settings, i turned off some other ‘security’ plugins that seemed to have some overlap, xframe options and the like and voila, i no longer get that error!

https://hstspreload.org/?domain=penchecks.com and can see the subdomain, correct max age etc.

thank you for pointing me in the right direction!

Plugin Author Andrea Ferro
(@unicorn03)

2 years, 3 months ago

Hi Jason, great! I am glad you are no longer experiencing the issue you encountered.

I am at your disposal for further information or issues, please feel free to write to me.
dmalmeida
(@dmalmeida)

2 years, 1 month ago
Hi

Thanks for an awesome plugin.
The problem described by @xstrych9x continues to exist.
https://hstspreload.org/?domain=penchecks.com

But even your site tentacleplugins.com can’t “pass” https://hstspreload.org/?domain=tentacleplugins.com

My site can’t pass too: https://hstspreload.org/?domain=cebolinha-imaginaria.com

I already did what you suggested: Uninstalled the plugin, reinstalled, check .htaccess with plugin installed and uninstalled and can’t make this work.

This is the code that my .htaccess have:
```
# Headers Security Advanced & HSTS WP - 5.0.06
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "null"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://cebolinha-imaginaria.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
# END Headers Security Advanced & HSTS WP
```
What can I do to pass hstspreload?

Thanks
Plugin Author Andrea Ferro
(@unicorn03)

2 years, 1 month ago

Hi @dmalmeida, thanks for downloading the Headers Security Advanced & HSTS WP plugin.

I am Andrea and I will try to help you as best as I can.

I have analyzed and perform some tests on the reported domains I will finish the last check and I can confirm you where the issue is coming from.

dmalmeida
(@dmalmeida)

2 years, 1 month ago

I figured out the problem

My site have cdn with cloudflare and cloudflare have some settings for hsts that overwrite my .htaccess

So, I already solved this issue

thanks

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘HSTS Preload Fail’ is closed to new replies.