HSTS Header Present But Not Working
-
I have installed the plugin and I believe I see the HSTS header in the .htaccess file.
However, when I run a test it fails for HSTS. https://securityheaders.com/?q=https%3A%2F%2Fjondavis.me%2F&hide=on
What might cause that to happen?
I’m not even sure how to troubleshoot because I see the header there.
The page I need help with: [log in to see the link]
-
I see the same issue; HSTS appears to be in the .htaccess file, but the HSTS test is failing on both:
https://securityheaders.com/
https://www.serpworx.com/check-security-headers/
Is this a bug?
The site is:
https://www.mbsdpipes.com/It’s the same in my case, and I would guess that, just like me, you aren’t using Apache, so the
.htaccess
file simply doesn’t have any effect.Since all other headers are also sent by PHP I would classify this as a bug. Furthermore, looking at the code, I see that the function which instructs WordPress to add this HTTP header to the output is only called when the settings for this particular header are updated, which actually has no effect since the update action produces a redirect response with no custom headers whatsoever, so it’s definitely a bug.
I also noticed that this plugin adds two
<IfModule mod_headers.c>
blocks in the file instead of just one: the first one only contains an instruction to add the HSTS header, and the other contains instructions for all other headers. Furthermore, the HSTS block gains an extra blank line each time these settings are saved. It would be nicer if only one such block was added and the unnecessary blank lines were not there.- This reply was modified 11 months, 1 week ago by Rimas.
I am using Apache and I believe I’ve discovered what causes the HSTS to fail even though the code is present in HSTS.
in my case it is because I have a primary “redirect” of my website from https://mysite.com/ to https://www.mysite.com/
Technically HSTS doesn’t like/allow a redirect from one url to another.
For me this redirect issue occurred because I accidentally didn’t include the non-www url in my SSL Certificate when I made it and I did this as a temporary workaround until I figured out the issue.
Check and see if you have the same issue. WordPress Health Check really should tell us this is the issue as the error message is returned on site checks like securityheaders.com
Your cause of HSTS fail may be different but this was mine.
@kennetheyoung, I would guess that the response to your
https://mysite.com/
request didn’t have the HSTS header (or any other headers added by this plugin), but then the one to thehttps://www.mysite.com/
request did? I think this would be perfectly normal, because the original redirect might be performed outside WordPress, or, even if not (this depends on the setup), WordPress might not be adding any custom headers (including these) due to the redirect nature of the response.Important note: Somehow I spelled my own name wrong in the link that I need help with haha.
This almost has to have been some sort of auto correct thing.
But the link is actually https://jondavis.me – NO “h.”
When you say the non-Apache server thing is a “bug” do you mean that it is a bug in this plugin?
Or a bug in how HSTS works?
Or something else?
My site is on an OpenLiteSpeed server setup (Vultr).
I am not using an Apache server but an OpenLiteSpeed server.
I also have the SSL setup for both the www and not-www version of the domain.
The www version DOES forward automatically to the non-www version.
Does “Plugin Contributor” mean you are a contributor to this specific plugin? Or to plugins in general?
In other words, do I need to wait for @unicorn03 (Andrea the plugin author) to show up and help me?
It appears that they aren’t around that often.
I am wondering if I need to move on and look for a different solution.
(Important side note: I am not complaining. I don’t feel entitled to any help on this free plugin at all. Just trying to decide if this solution is going to solve my problem or if I need to start looking elsewhere)
Hi @thirstyjon , thank you for downloading the Headers Security Advanced & HSTS WP plugin.
For some reason I am not getting topic notifications via email and the only way at the moment is to check topics via browser.
Don’t worry I am here to help you with your report and to speed up the timeline and offer you the best assistance I ask if you can write me at support@tentacleplugins[dot]com
@thirstyjon, yes, I meant it’s a bug in the plugin. I’m now able to contribute to this plugin since yesterday evening (thanks to @unicorn03) and I plan to look into this issue since, as a user of Nginx, I’m also affected by it.
@erku
Wonderful!This plugin is a great idea and it would be nice to have it fully functional. 🙂
Status report: I made a huge pull request to @unicorn03. At least on my server, the header now works as expected and I haven’t noticed any regressions caused by my changes.
Aaaand, it’s now live!
Deleted
- This reply was modified 11 months, 1 week ago by thirstyjon.
- This reply was modified 11 months, 1 week ago by thirstyjon.
- The topic ‘HSTS Header Present But Not Working’ is closed to new replies.