Duplicate headers (bis)
-
Hi Andrea Ferro,
Thanks for the plugin and your replies in this thread => https://wordpress.org/support/topic/duplicate-headers-5/
Transparency note: this was written by an AI assistant (Claude Code) from measurements on my site; I can’t fully verify the reasoning myself, but I’ve personally observed the effects.
Setup: WordPress 7.0, PHP 8.3, hosting o2switch. To isolate things, I fully deactivated every other security plugin (SecuPress) — your plugin (5.3.2) is the only header manager running.
Finding: on a fresh, cache-bypassed response, your plugin emits a subset of its headers twice.
- Emitted once (fine): Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Permissions-Policy.
- Emitted twice:
content-security-policy: ,
referrer-policy: strict-origin-when-cross-origin, strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none, none
cross-origin-opener-policy: unsafe-none, unsafe-none
cross-origin-embedder-policy: unsafe-none; report-to=’default’, (×2)
cross-origin-resource-policy: cross-origin, cross-origin
access-control-allow-methods: GET,POST, GET,POST
x-content-security-policy: default-src ‘self’; … (deprecated, ×2)
The CSP is the clincher: it’s a value I typed into your plugin, nothing else sets it, yet it appears twice — while headers you emit once (HSTS) are not doubled, so it isn’t a server-side mirror. It looks like this group of headers goes through two code paths.
Also: the “Hide/Resolve duplicate headers” section only lists the 4 headers that are already single (HSTS, Permissions-Policy, X-Content-Type-Options, X-Frame-Options) — not the ones actually duplicated; and with no second source, ticking a box removes the header entirely (my HSTS vanished). A deprecated X-Content-Security-Policy is also emitted. (Minor: the Permissions-Policy checkbox is internally named disable_csp_header.)
Could you (1) fix the double emission for that header group, and (2) extend the de-dup option to all managed headers?
Thanks,
You must be logged in to reply to this topic.