• Hi Andrea Ferro,

    Thanks for the plugin and your replies in this thread => https://wordpress.org/support/topic/duplicate-headers-5/

    Transparency note: this was written by an AI assistant (Claude Code) from measurements on my site; I can’t fully verify the reasoning myself, but I’ve personally observed the effects.

    Setup: WordPress 7.0, PHP 8.3, hosting o2switch. To isolate things, I fully deactivated every other security plugin (SecuPress) — your plugin (5.3.2) is the only header manager running.

    Finding: on a fresh, cache-bypassed response, your plugin emits a subset of its headers twice.

    • Emitted once (fine): Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Permissions-Policy.
    • Emitted twice:
      content-security-policy: ,
      referrer-policy: strict-origin-when-cross-origin, strict-origin-when-cross-origin
      x-permitted-cross-domain-policies: none, none
      cross-origin-opener-policy: unsafe-none, unsafe-none
      cross-origin-embedder-policy: unsafe-none; report-to=’default’, (×2)
      cross-origin-resource-policy: cross-origin, cross-origin
      access-control-allow-methods: GET,POST, GET,POST
      x-content-security-policy: default-src ‘self’; … (deprecated, ×2)

    The CSP is the clincher: it’s a value I typed into your plugin, nothing else sets it, yet it appears twice — while headers you emit once (HSTS) are not doubled, so it isn’t a server-side mirror. It looks like this group of headers goes through two code paths.

    Also: the “Hide/Resolve duplicate headers” section only lists the 4 headers that are already single (HSTS, Permissions-Policy, X-Content-Type-Options, X-Frame-Options) — not the ones actually duplicated; and with no second source, ticking a box removes the header entirely (my HSTS vanished). A deprecated X-Content-Security-Policy is also emitted. (Minor: the Permissions-Policy checkbox is internally named disable_csp_header.)

    Could you (1) fix the double emission for that header group, and (2) extend the de-dup option to all managed headers?

    Thanks,

You must be logged in to reply to this topic.