Duplicate headers

  • Resolved brandstart

    (@brandstart)


    1 year, 6 months ago

    X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
    X-Frame-Options There was a duplicate X-Frame-Options header.
    Permissions-Policy There was a duplicate Permissions-Policy header.
    Strict-Transport-Security There was a duplicate Strict-Transport-Security header.

    I recieve this when i check the csp on https://securityheaders.com/
    Any idea of a fix?

    HTTP/2	200
server	nginx
date	Tue, 11 Oct 2022 10:30:32 GMT
content-type	text/html; charset=UTF-8
vary	Accept-Encoding
strict-transport-security	max-age=63072000; includeSubDomains; preload
x-xss-protection	1; mode=block
x-content-type-options	nosniff
referrer-policy	strict-origin-when-cross-origin
expect-ct	max-age=7776000, enforce
content-security-policy	report-uri https://brandstart.ie
x-frame-options	SAMEORIGIN
permissions-policy	accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
sg-f-cache	BYPASS
x-xss-protection	1; mode=block
expect-ct	max-age=7776000, enforce
access-control-allow-origin	null
access-control-allow-methods	GET,PUT,POST,DELETE
access-control-allow-headers	Content-Type, Authorization
x-content-security-policy	img-src *; media-src * data:;
x-content-type-options	nosniff
content-security-policy	report-uri https://brandstart.ie
referrer-policy	strict-origin-when-cross-origin
cross-origin-embedder-policy-report-only	unsafe-none; report-to="default"
cross-origin-embedder-policy	unsafe-none; report-to="default"
cross-origin-opener-policy-report-only	same-origin; report-to="default"
cross-origin-opener-policy	same-origin-allow-popups; report-to="default"
cross-origin-resource-policy	cross-origin
x-frame-options	SAMEORIGIN
permissions-policy	accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), document-domain=(), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=(), window-placement=()
feature-policy	display-capture 'self'
x-permitted-cross-domain-policies	none
x-cache-enabled	True
strict-transport-security	max-age=63072000; includeSubDomains; preload
link	<https://brandstart.ie/wp-json/>; rel="https://api.w.org/"
link	<https://brandstart.ie/wp-json/wp/v2/pages/394>; rel="alternate"; type="application/json"
link	<https://brandstart.ie/>; rel=shortlink
x-httpd-modphp	1
host-header	6b7412fb82ca5edfd0917e3957f05d89
x-proxy-cache	MISS
x-proxy-cache-info	0 NC:000000 UP:
content-encoding	gzip
Viewing 2 replies - 1 through 2 (of 2 total)
  • tank

    (@mrtank)

    1 year, 6 months ago

    I would like to second this issue. I am having it on all 27 websites I manage using this plugin. FYI.

    Plugin Author Andrea Ferro

    (@unicorn03)

    1 year, 6 months ago

    Hi @mrtank @brandstart, thank you for downloading and using the Headers Security Advanced & HSTS WP plugin.

    I am Andrea, I will help you to explain the reason of your issue you are experiencing.

    Your issue is why when I use the third party tool like securityheaders.com and verify the headers it reports “duplicate headers“? Tell me if that is what you meant?

    The most common case I have verified and encountered over time is the duplication of the following headers:

    • X-Content-Type-Options: There was a duplicate X-Content-Type-Options header.
    • X-Frame-Options: There was a duplicate X-Frame-Options header.
    • Permissions-Policy: There was a duplicate Permissions-Policy header.
    • Strict-Transport-Security: There was a duplicate Strict-Transport-Security header.

    In this case duplication of headers occurs because the hosting provider of your web services (e.g. Godday, Namecheap, Google Domains..) uses as a basic configuration already headers which is usually the minimum to offer. The Headers Security Advanced & HSTS WP plugin, on the other hand, uses different types of headers and parameters to offer greater protections. These headers are added on the website configuration side and not the server side (this can cause the issue you were experiencing with duplicate headers).

    To reassure you, you will not experience any penalties, slowdowns or website and client side issues. In addition, if you use the plugin it will be used as the primary pre-studied and tested headers.

    I hope I have explained to you in the quickest and easiest way why you are encountering the warning on security Headers.

    Please do not hesitate to contact me if you have any further concerns or questions I am here specifically.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Duplicate headers’ is closed to new replies.