Title: Cannot modify header information…class-itsec-ssl.php
Last modified: February 8, 2021

---

# Cannot modify header information…class-itsec-ssl.php

 *  Resolved [philraymond](https://wordpress.org/support/users/philraymond/)
 * (@philraymond)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/)
 * This is showing up often in debug.log. Any help? WordPress 5.6.1 and iThemes 
   Security 7.9.0.
 * [08-Feb-2021 00:41:11 UTC] PHP Warning: Cannot modify header information – headers
   already sent by (output started at /home/hello/public_html/wp-content/plugins/
   better-wp-security/core/modules/ssl/class-itsec-ssl.php:131) in /home/hello/public_html/
   wp-includes/pluggable.php on line 1296
 * [08-Feb-2021 00:41:11 UTC] PHP Warning: Cannot modify header information – headers
   already sent by (output started at /home/hello/public_html/wp-content/plugins/
   better-wp-security/core/modules/ssl/class-itsec-ssl.php:131) in /home/hello/public_html/
   wp-includes/pluggable.php on line 1299

Viewing 14 replies - 1 through 14 (of 14 total)

 *  Thread Starter [philraymond](https://wordpress.org/support/users/philraymond/)
 * (@philraymond)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14016861)
 * Oh, and along with it:
 * [08-Feb-2021 00:41:11 UTC] PHP Notice: Undefined index: HTTP_HOST in /home/hello/
   public_html/wp-content/plugins/better-wp-security/core/modules/ssl/class-itsec-
   ssl.php on line 131
 *  [nlpro](https://wordpress.org/support/users/nlpro/)
 * (@nlpro)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14018452)
 * Hi Phil,
 * Most probably the PHP Notice as provided in the last post is from a WP CLI command
   while the iTSec plugin SSL module is enabled.
    (The 2 PHP Warnings from your 
   initial post are the consequence of the PHP Notice).
 * If you read through the relevant code in the better-wp-security/core/modules/
   ssl/class-itsec-ssl.php file, you’ll notice that the iTSec plugin SSL module 
   will only redirect to HTTPS when:
 * `'cli' !== php_sapi_name()`
 * and will not redirect to HTTPS when:
 * `'cli' === php_sapi_name()`
 * However in reality, when running a WP CLI command the value returned by the PHP
   php_sapi_name() function will not always be ‘cli’ …
 * So it appears the iTSec plugin SSL module is using the PHP php_sapi_name() function
   to determin whether a WP request is a WP CLI command or not. This is normally
   done using:
 * `if ( defined( 'WP_CLI' ) && WP_CLI ) {`
 * The odd thing is that other iTSec plugin modules use the correct CLI detection
   method … just not the SSL module (bug).
 * There is a quick way to check what value is being returned by the PHP php_sapi_name()
   function in your WordPress env. Simply log into the WordPress Dashboard and navigate
   to the **Tools/Site Health** menu option. Then click on the **Info** tab. Next
   scroll down and click on the **Server** section to expand. Check the value for**
   PHP SAPI**. Since we are interfacing from a browser to a web server, you’ll allways
   find the value is something different than ‘cli’.
 * Only when running a WP CLI command you’ll be able to detect the actual (and relevant)
   value returned by the PHP php_sapi_name() function.
 * Unfortunately I haven’t yet figured out a way to get the same Site Health info
   from WP CLI. I call upon the community for help 😉
 * To prevent any confusion, I’m not iThemes.
    -  This reply was modified 5 years, 4 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
    -  This reply was modified 5 years, 4 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
    -  This reply was modified 5 years, 4 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
 *  [jetxpert](https://wordpress.org/support/users/jetxpert/)
 * (@jetxpert)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14021108)
 * [@philraymond](https://wordpress.org/support/users/philraymond/),
 * Three potential fixes for your issue:
 * Option 1: [Undefined index: HTTP_HOST](https://wordpress.org/support/topic/undefined-index-http_host-3/)
   
   Option 2: [Undefined index: HTTP_HOST](https://wordpress.org/support/topic/php-notice-undefined-index-http_host-5/)
   Option 3: [Undefined index: HTTP_HOST](https://wordpress.org/support/topic/undefined-index-http_host-in-local-environment-wp-cli/)
 * Please let us know if any worked.
 * Cheers!
 *  Thread Starter [philraymond](https://wordpress.org/support/users/philraymond/)
 * (@philraymond)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14021772)
 * Thanks so much to both of you for taking the time to share such thorough answers.
 * [@jetxpert](https://wordpress.org/support/users/jetxpert/) your solutions look
   feasible, but they will all break eventually when the plugin is updated, right?
 *  [jetxpert](https://wordpress.org/support/users/jetxpert/)
 * (@jetxpert)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14021930)
 * [@philraymond](https://wordpress.org/support/users/philraymond/),
 * Try the potential solutions first (individually). If any work, then you have 
   the following options:
 * (1) **Contact your host to see if they are restricting your website.** If so,
   suggest a .htaccess modification to reflect the solution you found. Once implemented,
   you can restore the modified files back to their original configuration. Make
   a backup first.
 * OR
 * (2) **Develop, search for, or request a code snippet** for your functions.php
   file. The snippet should override future plugin updates.
 * Cheers!
 *  Thread Starter [philraymond](https://wordpress.org/support/users/philraymond/)
 * (@philraymond)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14026333)
 * Thanks, this seems to have worked for now:
 * `if ( defined( 'WP_CLI' ) && WP_CLI ) {`
 * Interesting how some of these issues in the WordPress core are so old and still
   unresolved. I just found a 5-year-old bug in wp-includes/canonical.php that has
   yet to be fixed.
 *  [jetxpert](https://wordpress.org/support/users/jetxpert/)
 * (@jetxpert)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14026391)
 * [@philraymond](https://wordpress.org/support/users/philraymond/),
 * Awesome. Can you share in more detail what you did?
 * Cheers!
    -  This reply was modified 5 years, 3 months ago by [jetxpert](https://wordpress.org/support/users/jetxpert/).
 *  Thread Starter [philraymond](https://wordpress.org/support/users/philraymond/)
 * (@philraymond)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14026409)
 *     ```
       private function redirect_to_https() {
       if ( defined( 'WP_CLI' ) && WP_CLI ) { //phil
       $redirect = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
       wp_redirect( $redirect, 301 );
       exit();
       } //phil
       }
       ```
   
 * I wrapped it in that IF statement directly in class-itsec-ssl.php.
 * Yep, it may break when the plugin is updated.
 *  [jetxpert](https://wordpress.org/support/users/jetxpert/)
 * (@jetxpert)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14026498)
 * [@philraymond](https://wordpress.org/support/users/philraymond/),
 * Thanks! Let’s hope this gets looked at and fixed soon by both WP and iTSec. WP
   5.7 promises to fix many bugs.
 * Cheers!
 *  [nlpro](https://wordpress.org/support/users/nlpro/)
 * (@nlpro)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14026914)
 * Add the method below to the ITSEC_SSL class:
 *     ```
       private function itsec_wp_is_cli() {
       	return defined( 'WP_CLI' ) && WP_CLI;
       }
       ```
   
 * Then in the init() method replace (line 72):
 * `} else if ( enabled' === $settings['require_ssl'] && 'cli' !== php_sapi_name()&&'
   GET' === $_SERVER['REQUEST_METHOD'] ) {`
 * with:
 * `} else if ( enabled' === $settings['require_ssl'] && ! $this->itsec_wp_is_cli()&&'
   GET' === $_SERVER['REQUEST_METHOD'] ) {`
 * and (for consistency) in the do_conditional_ssl_redirect() method (line 90):
 * `if ( 'cli' === php_sapi_name() ) {`
 * with:
 * `if ( $this->itsec_wp_is_cli() ) {`
    -  This reply was modified 5 years, 3 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
    -  This reply was modified 5 years, 3 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
    -  This reply was modified 5 years, 3 months ago by [nlpro](https://wordpress.org/support/users/nlpro/).
 *  [jetxpert](https://wordpress.org/support/users/jetxpert/)
 * (@jetxpert)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14027110)
 * [@nlpro](https://wordpress.org/support/users/nlpro/),
 * Thanks. We’re good without modifying the code. However, we tried to implement
   your above changes and got a fatal error which was fixed by applying a small 
   change to your code (‘ found missing before enabled):
 * Line 72 should be:
 * `} else if ( 'enabled' === $settings['require_ssl'] && ! $this->itsec_wp_is_cli()&&'
   GET' === $_SERVER['REQUEST_METHOD'] ) {`
 * Cheers!
 *  [nlpro](https://wordpress.org/support/users/nlpro/)
 * (@nlpro)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14029890)
 * [@jetxpert](https://wordpress.org/support/users/jetxpert/)
 * Excellent! Apologies for the typo 😉
 *  [TWD](https://wordpress.org/support/users/twd/)
 * (@twd)
 * [5 years, 2 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14183450)
 * Has this bug been fixed yet?
 *  [nlpro](https://wordpress.org/support/users/nlpro/)
 * (@nlpro)
 * [5 years, 2 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14183547)
 * It’s not really a bug. Using WP_CLI constant is more robust (and preferred method).
   
   It’s certainly not wrong to use PHP php_sapi_name() function, but it’s less robust.
 * If the wrong PHP binary is called by WP CLI, the PHP php_sapi_name() function
   may not return the expected value (cli).

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Cannot modify header information…class-itsec-ssl.php’ is closed to new
replies.

 * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351)
 * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/)
 * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/)

 * 14 replies
 * 4 participants
 * Last reply from: [nlpro](https://wordpress.org/support/users/nlpro/)
 * Last activity: [5 years, 2 months ago](https://wordpress.org/support/topic/cannot-modify-header-information-class-itsec-ssl-php/#post-14183547)
 * Status: resolved