Title: Duplicate headers (bis)
Last modified: June 21, 2026

---

# Duplicate headers (bis)

 *  [Cyrille Sanson](https://wordpress.org/support/users/css31/)
 * (@css31)
 * [2 weeks, 1 day ago](https://wordpress.org/support/topic/duplicate-headers-bis/)
 * Hi [Andrea Ferro](https://wordpress.org/support/users/unicorn03/),
 * Thanks for the plugin and your replies in this thread => [https://wordpress.org/support/topic/duplicate-headers-5/](https://wordpress.org/support/topic/duplicate-headers-5/)
 * **Transparency note:** this was written by an AI assistant (Claude Code) from
   measurements on my site; I can’t fully verify the reasoning myself, but I’ve 
   personally observed the effects.
 * **Setup:** WordPress 7.0, PHP 8.3, hosting o2switch. To isolate things, I fully
   deactivated every other security plugin (SecuPress) — your plugin (5.3.2) is 
   the only header manager running.
 * **Finding:** on a fresh, cache-bypassed response, your plugin emits a subset 
   of its headers twice.
    - Emitted once (fine): Strict-Transport-Security, X-Frame-Options, X-Content-
      Type-Options, Permissions-Policy.
    - Emitted twice:
      content-security-policy: ,referrer-policy: strict-origin-when-
      cross-origin, strict-origin-when-cross-originx-permitted-cross-domain-policies:
      none, nonecross-origin-opener-policy: unsafe-none, unsafe-nonecross-origin-
      embedder-policy: unsafe-none; report-to=’default’, (×2)cross-origin-resource-
      policy: cross-origin, cross-originaccess-control-allow-methods: GET,POST, 
      GET,POSTx-content-security-policy: default-src ‘self’; … (deprecated, ×2)
 * **The CSP is the clincher:** it’s a value I typed into your plugin, nothing else
   sets it, yet it appears twice — while headers you emit once (HSTS) are not doubled,
   so it isn’t a server-side mirror. It looks like this group of headers goes through
   two code paths.
 * **Also:** the “Hide/Resolve duplicate headers” section only lists the 4 headers
   that are already single (HSTS, Permissions-Policy, X-Content-Type-Options, X-
   Frame-Options) — not the ones actually duplicated; and with no second source,
   ticking a box removes the header entirely (my HSTS vanished). A deprecated X-
   Content-Security-Policy is also emitted. (Minor: the Permissions-Policy checkbox
   is internally named disable_csp_header.)
 * Could you (1) fix the double emission for that header group, and (2) extend the
   de-dup option to all managed headers?
 * Thanks,

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fduplicate-headers-bis%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/headers-security-advanced-hsts-wp/assets/icon.svg?rev=3102785)
 * [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
 * [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [Cyrille Sanson](https://wordpress.org/support/users/css31/)
 * Last activity: [2 weeks, 1 day ago](https://wordpress.org/support/topic/duplicate-headers-bis/)
 * Status: not resolved