Support » Plugin: HTTP Headers » https://www.webpagetest.org/ Result “E”

  • Hi,

    WebPageTest.org reported no errors until today when, for the first time, a Security Score was displayed as “E”. I have been using HTTP Header for several months and the Security Score error hadn’t appeared.

    These are the active plug-in settings:
    X-Frame-Options SAMEORIGIN
    X-XSS-Protection 1; mode=block
    X-Content-Type-Options nosniff
    Strict-Transport-Security max-age=63072000; includeSubDomains; preload
    Referrer-Policy no-referrer
    Content-Security-Policy frame-ancestors ‘none’
    Feature Policy ON

    Any idea what is happening?

    Thanks a lot for your help,

    Stephen

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi Stephen,

    When I open your website at https://www.auction-savvy.com/
    I see these response headers:

    cache-control: max-age=0
    cf-cache-status: DYNAMIC
    cf-ray: 592e056389d70d5a-VIE
    cf-request-id: 02b0a1b23800000d5a24315200000001
    content-encoding: br
    content-type: text/html; charset=UTF-8
    date: Wed, 13 May 2020 17:15:22 GMT
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    expires: Wed, 13 May 2020 17:15:21 GMT
    last-modified: Wed, 13 May 2020 16:29:59 GMT
    server: cloudflare
    status: 200
    vary: Accept-Encoding,Cookie,User-Agent,Accept
    x-content-type-options: nosniff

    then I open the same page like this: https://www.auction-savvy.com/?adasdas
    and I get the following response headers:

    cache-control: max-age=0
    cf-cache-status: DYNAMIC
    cf-ray: 592e07515b2f0d5a-VIE
    cf-request-id: 02b0a2e6d900000d5a241da200000001
    content-encoding: br
    content-security-policy: frame-ancestors 'none'
    content-type: text/html; charset=UTF-8
    date: Wed, 13 May 2020 17:16:43 GMT
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    expires: Wed, 13 May 2020 17:16:40 GMT
    link: <https://www.auction-savvy.com/wp-json/>; rel="https://api.w.org/"
    referrer-policy: no-referrer
    server: cloudflare
    status: 200
    strict-transport-security: max-age=63072000; includeSubDomains; preload
    vary: Accept,Accept-Encoding,User-Agent
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block

    As you can see the late is a “fresh” request, with all your security headers.
    So, I guess you are using some intermediate cache like Cloudflare.

    To overcome this you can try to adjust the Cache-Control header to include the public directive.

    For example:
    Cache-Control: public, max-age=0

    Note that you may need to purge the Cloudflare cache after a change of HTTP Headers plugin settings.

    For more info read this:
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

    Dimitar

    • This reply was modified 2 months, 4 weeks ago by Dimitar Ivanov. Reason: clarification

    Hi Dimitar,

    Yes, I am using Cloudflare. I followed your direction and enabled the Cache-Control in HTTP Headers to public, max-age=0. I cleared the Cloudflare cache but still have the same result.

    Any other suggestions?

    Thanks again for your help,

    Stephen

    Plugin Author Dimitar Ivanov

    (@zinoui)

    Sorry, it’s my bad but the public directive is not what you need. Try this:

    Cache-Control: no-store

    or

    Cache-Control: no-cache, max-age=0

    Hi Dimitar,

    I tried both suggestions but no change in results. I did find however if I disable the WP Rocket plugin the score goes from “D” to “A”. I will submit a support ticket to WP Rocket and see if they can resolve.

    Thanks again for your help and have a good weekend!

    Stephen

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.