Do you have any caching application or a CDN that may have cached the headers?
Hello, no sir, we are using indeed wp rocket, but on the cache delivered pages, the headers are not saved, only on the real time ones it is sent twice (I think because php is not executed on the cache).
How did you check your HTTP headers ? Did you try from a terminal, by running this command: curl -I https://your-site.com
Did you try to disable NinjaFirewall from the “Plugins” page, and check your HTTP headers to see if they are gone ?
Hello, I found the problem over ssllabs.com, reviewed it in the browser console and tested with https://securityheaders.com
“Strict-Transport-SecurityThere was a duplicate Strict-Transport-Security header.”
If I deactivate Ninja Firewall, the warning seems to be gone.
I tried the site but it cached the results. Can you try either from curl command line, or by clicking the “NinjaFirewall > Firewall Policies > Advanced Policies > HTTP headers test” button ?
Hey, this is the output:
access-control-allow-credentials: true
access-control-allow-methods: GET, PUT, POST, DELETE, OPTIONS
access-control-allow-origin: *
cache-control: no-cache, must-revalidate, max-age=0, no-store, private
content-encoding: br
content-security-policy: base-uri 'self'; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.domain.com domain.com *.domain.com; style-src 'self' 'unsafe-inline' *.domain.com domain.com *.domain.com; img-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com *.domain.org *.domain.com *.domain.com image.domain.com domain.com *.domain.com *.domain.com; media-src 'self' *.domain.com domain.com; font-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com; object-src 'self' *.domain.com domain.com; child-src 'self' blob: *.domain.com domain.com *.domain.com; manifest-src 'self' *.domain.com domain.com *.domain.com; connect-src 'self' *.domain.com domain.com api.domain.com domain.com *.domain.com domain.org api.domain.org; form-action 'self' *.domain.com domain.com *.domain.de; frame-ancestors 'self'; frame-src 'self' data: domain.com;
content-type: text/html; charset=UTF-8
cross-origin-embedder-policy: same-origin
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
date: Wed, 27 Mar 2024 21:45:59 GMT
expect-staple: max-age=31536000; preload
expires: Wed, 11 Jan 1984 05:00:00 GMT
link: https://www.domain.com/wp-json/; rel="https://api.w.org/", https://www.domain.com/wp-json/wp/v2/pages/7703; rel="alternate"; type="application/json", https://www.domain.com/; rel=shortlink
permissions-policy: trust-token-re
I am so sorry, I found the problem. The plugin cf7_antispam sets the header, and this got cached in redis…
