Not all headers set as the plugin states

  • Resolved c0ntr07

    (@c0ntr07)


    1 year, 8 months ago

    When I scan my site (with a custom security script I wrote) some of the headers that are claimed to be installed are missing.

    Header Status

X-XSS-Protection PRESENT
Expect-CT MISSING
Access-Control-Allow-Methods PRESENT
Access-Control-Allow-Headers PRESENT
X-Content-Security-Policy PRESENT
X-Content-Type-Options PRESENT
X-Frame-Options PRESENT
X-Permitted-Cross-Domain-Policies PRESENT
X-Powered-By PRESENT
Content-Security-Policy PRESENT
Referrer-Policy PRESENT
HTTP Strict Transport Security / HSTS MISSING
Content-Security-Policy PRESENT
Clear-Site-Data MISSING
Cross-Origin-Embedder-Policy-Report-Only PRESENT
Cross-Origin-Opener-Policy-Report-Only MISSING
Cross-Origin-Embedder-Policy PRESENT
Cross-Origin-Opener-Policy PRESENT
Cross-Origin-Resource-Policy PRESENT
Permissions-Policy PRESENT
Strict-dynamic MISSING
Strict-Transport-Security PRESENT
FLoC MISSING

    When I run this command

    curl -sSL -D - https://www.MY_SITE_URL.com -o /dev/null

    I get this result.

    HTTP/2 200
x-powered-by: PHP/7.4.33
content-type: text/html; charset=UTF-8
access-control-allow-methods: GET,POST
access-control-allow-headers: Content-Type, Authorization
content-security-policy: upgrade-insecure-requests;
cross-origin-embedder-policy: unsafe-none; report-to='default'
cross-origin-embedder-policy-report-only: unsafe-none; report-to='default'
cross-origin-opener-policy: unsafe-none
cross-origin-resource-policy: cross-origin
permissions-policy: accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=(), window-placement=()
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=63072000
x-content-security-policy: default-src 'self'; img-src *; media-src * data:;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-permitted-cross-domain-policies: none
link: <https://www.MY_SITE_URL.com/wp-json/>; rel="https://api.w.org/"
link: <https://www.MY_SITE_URLh.com/wp-json/wp/v2/pages/2398>; rel="alternate"; type="application/json"
link: <https://www.MY_SITE_URL.com/>; rel=shortlink
etag: "1973-1687447214;;;"
x-litespeed-cache: hit
content-length: 169310
date: Thu, 22 Jun 2023 15:21:48 GMT
server: SERVER_NAME
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

    What am I doing wrong or is there a bug here?

Viewing 1 replies (of 1 total)
  • Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @c0ntr07, thank you for your topic and for downloading the Headers Security Advanced & HSTS WP plugin. I am Andrea and I will help you in your request as best as I can.

    For some reason I am experiencing problems in receiving notifications of open topics, but I am here now to help you.

    Checking your request I will answer you by steps to the various headers that the script reports as missing:

    (a) The ‘Expect-CT’ header has been removed from the code to conform to current web standards. This functionality had been marked as deprecated and is no longer recommended for use. An update was made to the plugin in version 5.0.20 to remove its use and ensure compatibility with current security practices;

    b) Clear-Site-Data header was removed because it was causing data issues, Clear-Site-Data works on (cookies, storage, cache) however we may re-evaluate the integration in the future.

    c) The HSTS header is corectually implemented in the plugin. However, I recommend that you check the plugin settings to ensure that they are enabled correctly and that they are flagged correctly. In particular, check whether the ‘HSTS include subdomains’ and ‘HSTS preload’ options are enabled. If they are not, I kindly ask you to check them and save the plugin settings again. This will ensure that the HSTS header is properly configured to include subdomains and is ready for preload.

    d) Fixed an issue with the “Cross-Origin-Opener-Policy-Report-Only” header not being properly scanned or implemented;

    e) The problem of missing Google’s FLoC (Federated Learning of Cohorts) header was fixed with the release of version 5.0.24 of the plugin. Now, the FLoC header should be coretically recognized by your script and included in your site responses, allowing you to block this Google feature for marketing and advertising strategies.

    f) regarding Strict-dynamic I am working on an improtant update that implements CSP practices to make the plugin as complete and simple as you know it now.

    Update the plugin to version 5.0.25 to ensure that the missing or unrecognized header is included in your site responses. I remain operational to help you with additional requests or threads. I hope I have been helpful

    • This reply was modified 1 year, 8 months ago by Andrea Ferro.
Viewing 1 replies (of 1 total)
  • The topic ‘Not all headers set as the plugin states’ is closed to new replies.