MrCarlLister

Thanks for responding @kevp75

If we set up our own CloudFlare account and used that, would we be able to allow your rules to bypass (not manually set them in CloudFlare, but just let yours pull through)?

We did manage to find a server-side solution with Kinsta, which included defining server-side security headers for file types

Example;

location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|mov|ttf|css|js|jpg|jpeg|gif|png|ico|webp|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}

Not sure if this is something you can use to create a work around?

We’re unable to disable CloudFlares caching. That said support informed me that they don’t have CloudFlare caching enabled on their staging environments.

Manually setting headers with Nginx, doesn’t fix the above issue but does pull through and display on /wp-json/ – where the plugin settings do not. Not sure if this is related. See image where I’ve added the Strict-Transport-Security setting manually (this causes duplication where plugin settings are working)

Sorry Kevin. Thanks for responding.

• WP – 6.2.2
• Plugin – 4.0.01
• PHP – 8.0

I’ve enabled Apply to Admin

I can’t share the pen test report in full but here’s a snippet —-

Issue

There was no “Strict-Transport-Security” header in the server response.

Request

GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,admin-bar,wp-pointer,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets&load%5Bchunk_1%5D=,site-icon,l10n,buttons,wp-auth-check,media-views&ver=6.2.2 HTTP/2
Host: mydomain.com
Cookie:XXXXXXXX
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mydomain.com/wp-admin/plugins.php
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Te: trailers

Response

HTTP/2 200 OK
Date: Tue, 19 Sep 2023 16:08:39 GMT
Content-Type: text/css; charset=UTF-8
Cf-Ray: 809316b18ee00716-LHR
Cf-Cache-Status: DYNAMIC
Cache-Control: public, max-age=31536000
Expires: Wed, 18 Sep 2024 16:08:39 GMT
Vary: Accept-Encoding
Ki-Cache-Type: None
Ki-Cf-Cache-Status: BYPASS
Ki-Edge: v=20.2.1;mv=2.2.2
X-Content-Type-Options: nosniff
X-Edge-Location-Klb: 1
X-Kinsta-Cache: BYPASS
X-Robots-Tag: noindex, nofollow, nosnippet, noarchive
X-Xss-Protection: 1; mode=block
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Oao6ctGd4dsoWWdWg0UvxSsa1WomrKBIHZghOmyXqjOY60SY7Br23w2RMlhfDWac0efUjJHJO6JmnjVmPhUo9aGYFZPDieRwKDXk1Fg1G92RU1MI9djs6Pa94dt2dBHwI3erKkUBa4nF6S29xk1qOZPpP4t%2B%2F4TE2HI%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400

/*! This file is auto-generated */
@font-face{font-family:dashicons;src:url("../wp-includes/fonts/dashicons.eot?99ac726223c749443b642ce33df8b800");src:url("../wp-includes/fonts/dashicons.eot?99ac72622
...[SNIP]...

Thanks for getting back to me!

Please let me know when you have an update ??

@sgoerger did you find a solution to this? I’m looking for something similar.

Thanks for the reply Jan. I’ve already asked for support directly but they said that they don’t support the extension of the plugin. I was told that “it is a bit outside of our normal support.” And that I should “hire someone” to do it.

I am trying to learn myself so if you can point me in the direction of a pro-like community (as we have here for free version) or anything else really. That would be great!

Cheers

It looks like the fields are reordered using jquery too at addressfield.js.

Might be easier to just use independent text fields unless anyone has any suggestions.

I can confirm this issue too (also, thanks for the heads up @garrett-eclipse I was just about to write my own api request there and scrap this plugin!) ??

Anyone have any solutions to this? I am testing on a dev server but getting this message even though TLS is 1.2.

Not sure if you’re still looking for this, or at least it might help others.

Setting width to 100% works even though the UI only asks for px.

[row width="100%"] sets the inline css to max-width:100% which gave me the desired effect.

@danieliser thanks for getting back to me. No JS errors. The popup just isn’t loading.

I’ve tried it with a post and it works. So there’s something about my custom post types which aren’t triggering the condition to return true.

I’ve tried individual single.php and single-post_type.php but from what I tell from the plugin is that you only check if it is a single post page that matches post type.

Is there anything else you could think of trying?

Thanks again

@danieliser – thanks for the reply. I’ll create a new ticket soon!

Hello – I was also experiencing this issue with the plugin after updating.

I was only getting the error when trying to create or view posts (of any post type).

It was originally showing as a error 500 but logs showed the same error message as @cpkn

I’ve deactivated until patch.

Hi @jan Dembowski – sorry about that.

I have a work account + personal account. I tried posting from one and got an error, that’s the only reason I used the other (also still got an error).

I’m actually surprised to see this thread here ??

Anyway, back on topic! ??

OK @postman SMTP thanks for your help. I’ll take it up with them.

Thanks again for your help!