nerik73

Hi, thank you very much for your reply.

Yes…this sounds right to me, but I still don’t understand.

As you can see here:

https://ibb.co/rwrmTBN

if I browse the before-optimization page version at:

https://skycloudsacademy.com/?LSCWP_CTRL=before_optm

the 7 javascript loaded with the page are all already present in the exclusion list.

So, how is possible that the error is still getting triggered?

I’ve also tried to block all the JS except “script.min.js” from the dev console but I can’t replicate the issue (obviously I get errors when I block jquery and/or jquery migrate but these are different errors).

I’ve seen this inline JS inside the HTML code of the page.

https://ibb.co/XjNRL7t

Could be this the trigger of the problem? If yes, how could I solve/workaround it?

Thank you in advance for your support!

I think your plugin IS and ALWAYS WILL BE “the fastest and the easiest”.

That’s the reason why I’m choosing yours for all my websites. And this is also the reason I’m writing on this forum and not on a competitor’s one! ??

But adding a very simple but useful option (for “worried” people like me or for anyone else who wants to better his own website security score) i think it would be a huge “plus”. Nobody would complaint about it, I’m confident about that.

“More secure” doesn’t mean “more complicated”. We’re talking about a check-box and probably a php ternary operator usage in a couple of place inside your code.

Try to make some research on the web, Emre: you will find a lot of security auditing tools who care about this aspect and also a lot of people saying that, wherever is possible, everyone should use “https” instead relative protocol.

This is another very interesting resource:
https://webhint.io/docs/user-guide/hints/hint-no-protocol-relative-urls/

I know you could be busy with thousands of other things to do…but I don’t think you should ignore this issue at all…please save it in your to-do list!! ??

• This reply was modified 4 years, 9 months ago by nerik73.

@sedrs, sorry but I don’t understand…what dou you mean with “domain document” ? Is it your website home url? If so, if you test “www.yourdomain.com/subpage” on securityheaders.com does it work??

The header rules you’ve posted above here are part of automatic changes by WPFC on .htaccess and they’re fine.
And they don’t interfere with any other security headers you can specify after in the same file.

If you set the security headers OUTSIDE WPFC .htaccess dedicated area, they must work!! ??

Are you sure your Apache mod_headers module is active? Can you see it if you run a phpinfo() ?

Which o.s. is running on your hosting?

Anyway…How can be possible that you see headers in console but not in a “public” http response?!?

Can you try with this tool: https://headers.cloxy.net/ and post what you get testing both home page and inner page of your website?

I’m getting curios even more…let me know, please!

Sorry Emre, but I think you are just understimating a possible security issue on your plugin.

Of course, this precise technical aspect could be debatable…but I don’t see any “nonsense” here…when WordPress is free to choose in between http and https there’s always a potential risk. (See what’s happening about “mixed content” security warnings too).

Why don’t you offer a simple configuration option so that anyone can decide this behaviour on his own website?

Looking forward your feedback about my proposal, thank you.

@sedrs

Can you kindly confirm if my solution worked fine for you too please?

@emrevona
not true at all buddy! I’m running WPFC with security headers on several websites.

@sedrs
Are you maybe set your headers rules inside WPFC dedicated section of .htaccess?

I mean in between

# BEGIN WpFastestCache
and
# END WpFastestCache

If so this is the problem!!!

You should set it AFTER (or before) that section…something like:

# BEGIN WpFastestCache
...
# END WpFastestCache

# My custom headers here below

<ifModule mod_headers.c>
Header unset X-Powered-By
Header unset Server
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

# END of my custom headers

It works well for me!!! ??

It could be a security risk, that’s the reason why I would like to fix it.

https://sitebulb.com/hints/security/loads-page-resources-using-protocol-relative-uris

Hi,

it sounds like some javascript breaks when you activate the plugin, which could depend on some incompatibility with your theme or other plugins.

Would be helpful if you would provide a couple of screenshots about WPFC activated options and about javascript console when errors on page prompt.

Anyway, I would suggest:

1 – Deactivate all non-essential plugins, specially if you have other cache plugin installed/activated (different from WPFC)
2 – Reactivate WPFC
3 – In WPFC configuration activate only a couple of basic features (NO javascript minification/combine option for the momento)
4 – Delete cache
5 – Refresh your front page in a NON-logged in session (better if with a different browser than the one you’re using for WordPress dashboard)
6 – If no error displayed, then go on and repeat steps 3-5 activating all your desired options (see here for some tips: https://blogaid.net/wp-fastest-cache-settings/)

When you think that your WPFC configuration is optimal and your site rendering is stil correct, then try to re-activate the other plugins one at the time.
After each plugin reactivation, refresh your front-page and see if something happens.

If after a plugin reactivation you’re experiencing any error it means there’s a conflict. In that case you should deactivate each WPFC option ONE AT THE TIME, until you find which one makes the conflict popup.

Hope this help.
R

• This reply was modified 4 years, 9 months ago by nerik73.

Hi,

what does it mean exactly? Which plugin are you using? What’s the issue after reactivating WPFC?

Have you tried to purge WPFC cache and then reloading your page (when you’re not logged in) ?

Can you see the desired security headers in browser’s developer tool (Network tab) ?

Anyway…if it still doesn’t work you can add security headers manually to your .htaccess file (obviosuly Apache mod_headers.c must be activated if it’s not yet). Then delete your cache once again and check one more time on browser’s dev tools.

Have a look to this anyway, should help
https://scotthelme.co.uk/hardening-your-http-response-headers/

Good luck!

Ok, thank you Marco!

rel. 2.3.10 solved my issue: now I’m getting confirmation email every time I ask for new user’s registration.

Hi,

same problem…

could anyone help us please ?!?

Ok, I found template management inside plugin menu!!!

I have to change settings there.

Thanks!