Plugin Author
Carl
(@carlconrad)
Hi Danny,
Sorry for the slow responses, busy times.
This is not really a bug. I would rather say a missing feature.
Generally speaking, this plug-in has been written with user knowing what these settings are doing in mind as these settings are quite touchy. With time, I will try to make it more bullet proof.
Nevertheless thanks for your feedback,
Regards,
Carl
Thread Starter
dny24
(@dny24)
Goodmorning Carl,
Thanks for your reply.
It doesn’t matter with value I give for base-uri,
like ‘self’, ‘none’, ‘unsafe-hashes’ etc.
The outcome of what HTTP Security Options write is the same:
base-uri ;
So nothing is written.
Normally; I would see something like:
<IfModule mod_headers.c>
Header set Content-Security-Policy “base-uri ‘self'”;
</IfModule>
So it looks like a bug.
But maybe I miss something…
Beste regards,
Danny
Thread Starter
dny24
(@dny24)
PS Carl,
I found something else:
For Feature policy, normal code is – for instance –
Header set Expect-CT “max-age=86400,enforce”
HTTP Security Options writes it in reverse:
Header set Expect-CT: enforce; max-age=86400;
This gives errors (misconfiguration or weakness)
when using website security test.
Of course this is intended as ‘positive critique constructive’.
Best regards,
Danny
Plugin Author
Carl
(@carlconrad)
Hi Danny,
OK, I need to have a look at this. As far as I remember, Expect-CT has been added in the early stages, the specs where not official.
Thanks for your contribution, I hope to release an update soon.
Regards,
Carl
