Support » Plugin: HTTP Headers » Missing Headers

  • Resolved khemlanimart

    (@khemlanimart)


    Hi. I’ve added about 6 different security headers to my website, but in the plugin inspection and external 3rd part inspection, all are missing. I’m using apache and have the default mode set for the plugin. When I checked .htaccess, the plugin headers are the under the ifmodule.

    The page I need help with: [log in to see the link]

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @khemlanimart

    Can you post here those headers?
    Also, are you sure the module you mention above is loaded on your server?

    Hi. The headers I have added are:
    X-Frame-Options SAMEORIGIN
    X-XSS-Protection 1; mode=block
    X-Content-Type-Options nosniff
    Referrer-Policy origin
    Content-Security-Policy default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src https:; child-src ‘none’
    Feature-Policy camera ‘self’; domain ‘self’; payment ‘self’

    When I go into my .htaccess I see:
    # END WordPress
    # BEGIN HttpHeaders
    # The directives (lines) between BEGIN HttpHeaders and END HttpHeaders are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_headers.c>
    Header always set X-Content-Type-Options “nosniff”
    <FilesMatch “\.(php|html)$”>
    Header set X-Frame-Options “SAMEORIGIN”
    Header set X-XSS-Protection “1; mode=block”
    Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src https:; child-src ‘none'”
    Header set Referrer-Policy “origin”
    Header set Feature-Policy “camera ‘self’; domain ‘self’; payment ‘self'”
    </FilesMatch>
    </IfModule>

    I restarted the server as well

    Plugin Author Dimitar Ivanov

    (@zinoui)

    Now, you need to ensure you have the mod_headers module loaded and worked. To do so run the following command:

    apache2ctl -M

    If you can’t access command-line, the easiest way is to put a comment sign in front of start and end IfModule statement in your .htaccess file. If module is not loaded you will get a 500 Internal Server Error. If so, first remove the comments and error will disappear, then you need to activate/load the mod_headers module.

    # <IfModule mod_headers.so>
    ...
    # </IfModule>

    If no error occurs, the module should be loaded.

    The other thing that could possibly stops .htaccess rules is to have the following directive in your server httpd.conf file:
    AllowOverride None

    If that’s the case, nothing from .htaccess will works. Need to be changed to:
    AllowOverride All

    • This reply was modified 2 months ago by Dimitar Ivanov. Reason: clarification
    khemlanimart

    (@khemlanimart)

    @zinoui Thanks so much for the help, but it’s still not working. I ran apache2ctl -M and got back

    AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
    Loaded Modules:
     core_module (static)
     so_module (static)
     watchdog_module (static)
     http_module (static)
     log_config_module (static)
     logio_module (static)
     version_module (static)
     unixd_module (static)
     access_compat_module (shared)
     alias_module (shared)
     auth_basic_module (shared)
     authn_core_module (shared)
     authn_file_module (shared)
     authz_core_module (shared)
     authz_host_module (shared)
     authz_user_module (shared)
     autoindex_module (shared)
     deflate_module (shared)
     dir_module (shared)
     env_module (shared)
     filter_module (shared)
     mime_module (shared)
     mpm_prefork_module (shared)
     negotiation_module (shared)
     php7_module (shared)
     reqtimeout_module (shared)
     rewrite_module (shared)
     setenvif_module (shared)
     socache_shmcb_module (shared)
     ssl_module (shared)
     status_module (shared)
    

    I couldn’t find a httpd.conf but I found apache2.conf and changed the following:

    
    <Directory /var/www/>
    	Options Indexes FollowSymLinks
    	AllowOverride All
    	Require all granted
    </Directory>
    

    AllowOverride was originally None. I restarted the apache2 service after doing this and ran sudo a2enmod rewrite both of which were successful.

    I also tried commenting out <IfModule mod_headers.c> (not “.so” which I dont seem to have) and that caused a 500 Internal Server Error for the website :/. Is there anything else you could think of that could locate the problem?

    khemlanimart

    (@khemlanimart)

    I also tried switching to PHP, which worked but caused errors with some of my plugins

    khemlanimart

    (@khemlanimart)

    Ok. I was able to get it by switching over to PHP (deprecated).

    Plugin Author Dimitar Ivanov

    (@zinoui)

    I can’t see the headers_module in the list returned from apache2ctl -M command. To make it work you need to enable that module.

    Of course, PHP mode is also an option.

    Regards,

    khemlanimart

    (@khemlanimart)

    @zinoui Agreed. How do I add the module though, do I do it manually?

    Plugin Author Dimitar Ivanov

    (@zinoui)

    In the Apache’s httpd.conf search for:

    #LoadModule headers_module /path/to/modules/mod_headers.so

    then remove the comment, and restart Apache. This should be enough.

    khemlanimart

    (@khemlanimart)

    Hi @zinoui. I’ll go ahead and mark this closed. I can’t find httpd.conf only apache2.conf and that line doesn’t seem to be there. Moreover, the file in .htaccess says mod_headers.c not mod_headers.so and I’m not an expert in these things so I’m not sure if theyre the same. I will just use php for now I guess. Thanks again.

    khemlanimart

    (@khemlanimart)

    Resolved

Viewing 11 replies - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.