HTTP response headers

  • Resolved barnez

    (@pidengmor)


    8 years, 2 months ago

    Hi,

    I’ve set several HTTP response headers through NFW:

    X-Content-Type-Options – YES
    X-Frame-Options – SAMEORIGIN
    X-XSS-Protection – YES
    Strict-Transport-Security – 1 YEAR

    If I check the header responses in Chrome I can seem them listed: https://snag.gy/B67y3v.jpg

    However, if I check through popular HTTP response header scanners they are showing as missing:

    Mozilla Observatory
    High Tech Bridge
    Security Headers

    Is something blocking them from reading these headers?

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter barnez

    (@pidengmor)

    8 years, 2 months ago

    If I add the rules directly to the main .htaccess file then they are recognised by the scans.

    Plugin Author nintechnet

    (@nintechnet)

    8 years, 2 months ago

    I used htbridge.com to scan a site that has all headers enabled and it returned there were no headers at all. A bit odd.
    Try to test yourself with the cURL command from a shell:

    $ curl -I http(s)://YOUR-BLOG/index.php

    The -I switch will display headers only.

    Thread Starter barnez

    (@pidengmor)

    8 years, 2 months ago

    Thanks for looking into this.

    Try to test yourself with the cURL command from a shell:

    That is outside my skill set I’m afraid. I’m happy to apply these headers through the .htaccess file for now, but wanted to let you know in case this is happening more widely than just in my case. If there is any other testing I can apply that does not involve shell access, just let me know.

    Plugin Author nintechnet

    (@nintechnet)

    8 years, 2 months ago

    I think those scanners scan all links, including static files such as images. Because NF is a PHP firewall, the image response headers will not include the security headers, and thus the scanner tells you they are missing.
    You can try Firefox “Net” console (other browsers have the same feature more or less):
    -Press CTRL + Shift + J to display the console.
    -Select the “Net” tabs only.
    -Go to your website.
    -Click on the arrow beside the name of the site to display the response headers.

    Thread Starter barnez

    (@pidengmor)

    8 years, 2 months ago

    Ahh. That could be it then.

    Oddly, the NFW security headers are showing as present in the Chrome console, but not in the Firefox console.

    Plugin Author nintechnet

    (@nintechnet)

    8 years, 2 months ago

    Your best option is the cURL shell command: you can run it from SSH, or from a plugin, or from a PHP script that you can upload to your site and access it with your browser such as this one:

    <?php
header('Content-Type: text/plain');
echo {backtick}curl -I http://YOUR-BLOG/index.php{backtick};

    Note: Repace the 2 “{backtick}” with the backtick characters.

    Thread Starter barnez

    (@pidengmor)

    8 years, 2 months ago

    I tried the php script and the security headers set in NFW are present there. It looks like you’re right: the scanners I mentioned above have a flaw in how they collect this data from the header response. Many thanks for working through this.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘HTTP response headers’ is closed to new replies.