Some headers (namely CSP) should remain PHP-Generated.

Hi Dmitri,

Great job on a useful plugin.

The only problems I really have with a few of the features, namely the fact of the NONCE and SRI generation – and their limitations when incorporated into an htaccess-configuration of the CSP:

The NONCEs are supposed to change with EVERY page (re)load. This is not possible if they are defined within an htaccess-based configuration, because the contents of the htaccess should never change with each access of the website’s resources. Therefore, this part, the CSP header, really should be (re)generated when a page is (re)loaded – as would be provided by executing this function from within PHP.

The SRI’s should be capable of being generated from within the website’s own server environment (and also within PHP, if the “HASH” libraries are installed). This also makes it possible to code in a function which could conceivably check to see if a software update has occurred (main core and plugins, themes, etc.), and the SRI’s for the newly-updated scripts/styles can be recomputed for the newer versions.

Most of the other headers’ assignments and settings CAN feasibly be done from the htaccess, as their contents/values are not as likely to change from page load to page load. But the CSP header settings (mostly the NONCE and SRI values) need to be generated from PHP.

– – –

As for the UI on the HTTP Header Plugin’s dashboard,

I would like to propose a possible visual improvement, if you are willing to see my idea? I would welcome any invitation to help in the development of this plugin, if you are open to such an offer?

Again,

Great job on a very useful plugin.

– Jim S. Smith, (AFWS)