HTTP response headers not sent when using a cache plugin

  • Resolved Michael

    (@mkalina)


    10 years, 1 month ago

    I am making use of NF’s “HTTP response headers”-feature. However, I suppose as the firewall only loads when php-scripts are being called, these headers are not sent when static pages are requested. This is the case when using a caching-module.

    So I suggest to either inform users of this fact or suggest to write these headers into their htaccess (or other files accepting headers-instructions) as this might cause confusion.

    On the other hand, same as you do with “Force SSL for admin and logins”, the http-headers-options should be disabled if these headers are already configured elsewhere (eg. htaccess).

    https://wordpress.org/plugins/ninjafirewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    10 years, 1 month ago

    Hi

    I don’t think there is a problem with caching plugins: the firewall “HTTP response headers” options are used to protect you, the admin, or anyone else logged in and whitelisted. But your caching plugin does/should not cache anything while you are logged in, otherwise that would be an important security risk (e.g., it would even cache nonces!). It should only cache the front-end for your visitors.

    Thread Starter Michael

    (@mkalina)

    10 years, 1 month ago

    Hi, got it. Thank you!

    That of course explains the approach you are promoting. However, one point is still valid though: If you can find http response headers configured already, this option should be disabled.

    Because now I know that I have to put them somewhere else as I want my https-site to also be strengthened for non-admins.

    Plugin Author nintechnet

    (@nintechnet)

    10 years, 1 month ago

    Hi,

    NinjaFirewall cannot detect the response headers if you enable them at the HTTP server level because your HTTP server will add them after NinjaFirewall and PHP exit.
    Your HTTP server must check the headers and set/unset them if needed. Both Apache and Nginx can do that.

    Thread Starter Michael

    (@mkalina)

    10 years, 1 month ago

    Ok, I thought more in the lines of: you check php.ini, htaccess or any other configuration file for a matching configuration and then disable it. But anyway: thank you!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘HTTP response headers not sent when using a cache plugin’ is closed to new replies.

Tags