Support » Plugin: Really Simple SSL » The Authorization Header is Missing

  • Resolved bulletproducts


    I have the security headers set up in .htaccess as seen below and everything has been working fine. However I just upgraded WordPress today, and no I keep getting an error that the authorization header is missing. Any thoughts?

    # BEGIN rlrssslReallySimpleSSL rsssl_version[3.3.4]
    Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
    Header always set Content-Security-Policy “upgrade-insecure-requests;”
    Header always set X-Content-Type-Options “nosniff”
    Header always set X-XSS-Protection “1; mode=block”
    Header always set Expect-CT “max-age=7776000, enforce”
    Header always set Referrer-Policy: “no-referrer-when-downgrade”
    Header always set X-Frame-Options “sameorigin”
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    # END rlrssslReallySimpleSSL

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author RogierLankhorst


    Hi @bulletproducts,

    The authorization header is not a security header like these others. It is used for application logins etc. Do you have an API connection which requires an authorization header? In that case, you can contact the service provider about this header.

    @rogierlankhorst @bulletproducts : I created a blank site with no plugins or connections and receive the same warning. It seems that something was broken by the recent WordPress.

    Plugin Contributor Mark


    Hi @mvenkadesan,

    it’s likely this message is coming from a different plugin, as Really Simple SSL won’t warn you about authorization headers. If you use a plugin which requires this header, you might want to contact them about this.

    @markwolters : You may have misunderstood my remark. I created a blank site with no plugins and still had the same warning. So it is clearly not related to Really Simple SSL and something appears to be broken in WP 5.6.

    Plugin Author RogierLankhorst


    @mvenkadesan, thanks for the input. I noticed that 5.6 added application passwords:

    Application Passwords: Integration Guide

    Possibly doesn’t have anything to do with your issue, but as it’s one of the new features, it might be related.

    Hope this helps.

    Thank you @rogierlankhorst ! Much appreciated. I will look into that.

    You know, I’ve been in IT over 30 years. I even write an award winning technical book series.

    I’m not saying that to brag; rather to provide a frame of reference for the following statement.

    This link, provided earlier, was less than useless.

    Likewise the error message
    The authorization header is missing.
    is less than useless. If it identified this problem then it knows what user an app is causing the problem. Those should be identified in the drop down message instead of the generic platitude presented.

    Back to the documentation.

    It completely skips over the how to identify user and application. That’s the critical part. The example appears to be a clean empty blog with no subscribers. Bully for the example writer. There are in excess of 8,000 subscribers of this particular blog and north of 20K on my other blog.

    Sorry, I meant this link.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.