Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Sucuri does not detect existing security headers

  • Resolved michaelnorth

    (@michaelnorth)



    Hoping you can point me in the right direction, or confirm if there’s an issue with the plugin . . .

    The plugin is advising security headers are missing, but they are in fact in the .htaccess file like this snippet below. Syntax checks out per http://www.htaccesscheck.com.

    # Security Headers
    <IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=15552000; includeSubDomains”
    Header set X-XSS-Protection “1; mode=block”
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    </IfModule>

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author yorman

    (@yorman)

    I just checked your website and can confirm that you have added the HTTP security headers correctly. If the plugin is still showing a warning it must be because the results of the initial scan are cached. The cache expires after 20 minutes, if it is taking longer, you can force the expiration from the “Data Storage” panel located in the settings page, the file is called “sucuri-sitecheck.php”.

    Let me know if you need more information.

    That worked, thanks!

    Some feedback on the plugin:

    The cache is definitely not clearing after 20 minutes, it’s been at least two hours.

    My take is that the Data Storage button should be called “Clear” or “Reset”. I’m sure “Delete” causing people to pause, seems like it could be deleting an important file if you don’t understand they are temporary.

    Wouldn’t it be helpful to show that he various security headers are correctly installed, instead of just just showing a blank? The not-present alert is useful, but positive confirmation is better 😉

    The security headers should include Strict Transport Security (HSTS) for sites that use HTTPS.

    Plugin Author yorman

    (@yorman)

    Good feedback! I will certainly implement those changes.

    Marking as “not resolved” until those changes are implemented.

    Plugin Author yorman

    (@yorman)

    I have implemented the changes that you suggested [1].

    After testing, these changes will be released with a future update.

    Marking as resolved, thank you for the feedback.

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/61

    michaelnorth

    (@michaelnorth)

    Fantastic, thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.