Support » Plugin: W3 Total Cache » Can’t set Security Header

  • Resolved skariko

    (@skariko)


    Hello,
    I have W3 Total Cache installed and works properly. I am trying to add Security Header on the section “Browser Cache” but I can’t see the changes on my header online.

    I check STS Policy, X-Frame-Options, X-XSS-Protecion, X-Content-Type-Options and CSP but none of them shows in the header of my website.

    Am I doing something wrong?

    Thanks.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @skariko

    Thank you for your inquiry and I am happy to assist you with this.
    I’ve checked your website and I can see the following (please check the screenshot):

    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-XSS-protection: 1; mode=block

    The Content Security Policy (CSP) header reduces the risk of XSS attacks by allowing you to define where resources can be retrieved from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site.
    For this option, you also need to specify for example base-URI: or other directives as suggested in the plugin.
    For the HTTP Strict Transport Security policy, the Directive: is determined in seconds (as defined under the “Expires Header Lifetime” box of “Media & Other Files”), that the browser should remember that this site is only to be accessed using https. and as I can see the cache-control and expires header are not enabled in Performance>Browser Cache.
    Thanks!

    Thread Starter skariko

    (@skariko)

    Thank for the support,
    you are right: there is the header on the requested url like css of your screenshot.

    But I can’t see the security header on the request url of the homepage or of the single article like my screenshot: https://imgur.com/d7aKFeG

    Is there something that i don’t understand? Or there is something I missing of other settings?

    Thanks

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @skariko

    Thank you for the information. I’ve tried to replicate this but no luck. Please check the screenshot
    As I can see you Are on Apache. Can you please check your .htaccess file and see if you have the following block in W3TC Browser Cache rules:

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000"
        Header always append X-Frame-Options "SAMEORIGIN"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options "nosniff"
        Header set Referrer-Policy "no-referrer-when-downgrade"
    </IfModule>

    Thanks!

    Thread Starter skariko

    (@skariko)

    Yes I have it at the end of the file, like this:

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000"
        Header always append X-Frame-Options "SAMEORIGIN"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options "nosniff"
        Header set Referrer-Policy "no-referrer-when-downgrade"
        Header set Content-Security-Policy "base-uri 'self'; frame-src 'self'; connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'self'"
        Header set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';camera 'none';display-capture 'none';document-domain 'none';encrypted-media 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';layout-animations 'none';legacy-image-formats 'none';magnetometer 'none';microphone 'none';midi 'none';oversized-images 'self';payment 'none';picture-in-picture 'none';publickey-credentials 'none';speaker 'none';sync-xhr 'none';unoptimized-images 'self';unsized-media 'self';usb 'none';vibrate 'none';wake-lock 'none';xr-spatial-tracking 'none'"
    </IfModule>
    <IfModule mod_rewrite.c>
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.+)\.(x[0-9]{5})\.()$ $1.$3 [L]
    </IfModule>
    # END W3TC Browser Cache

    Thank you

    • This reply was modified 1 year, 6 months ago by skariko.
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @skariko

    Everything seems correct in the .htaccess.
    Can you please share the entire .htaccess and also make sure that you don’t have any other plugins or custom rules that may be in conflict.
    Please check the server-side configuration and make sure that mod_headers is enabled and active on your website.
    Thanks!

    Thread Starter skariko

    (@skariko)

    With your “Compatibility test” I see that mod_headers seems not enabled. So I had contact my hosting to ask if it is possible to enable it.

    Is it possible to send the .htaccess privately?
    Just to not post it here in a public forum.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @skariko

    Thank you for the information.
    YOu can contact us directly via the plugin in Performance>Support or via our website https://www.w3-edge.com/contact/
    Thanks!

    Thread Starter skariko

    (@skariko)

    Dear Marko,
    just want to inform you that it seems solved ad you can see.
    The only thing that i changed is settings on Page Cache from “Disk” to “Disk Enhanched” and it works immediately.

    Thanks for your time.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Can’t set Security Header’ is closed to new replies.