Title: Duplicate headers
Last modified: October 11, 2022
---
# Duplicate headers
* Resolved [brandstart](https://wordpress.org/support/users/brandstart/)
* (@brandstart)
* [3 years, 7 months ago](https://wordpress.org/support/topic/duplicate-headers/)
* X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
X-Frame-Options There was a duplicate X-Frame-Options header. Permissions-Policy
There was a duplicate Permissions-Policy header. Strict-Transport-Security There
was a duplicate Strict-Transport-Security header.
* I recieve this when i check the csp on [https://securityheaders.com/](https://securityheaders.com/)
Any idea of a fix?
* ```
HTTP/2 200
server nginx
date Tue, 11 Oct 2022 10:30:32 GMT
content-type text/html; charset=UTF-8
vary Accept-Encoding
strict-transport-security max-age=63072000; includeSubDomains; preload
x-xss-protection 1; mode=block
x-content-type-options nosniff
referrer-policy strict-origin-when-cross-origin
expect-ct max-age=7776000, enforce
content-security-policy report-uri https://brandstart.ie
x-frame-options SAMEORIGIN
permissions-policy accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
sg-f-cache BYPASS
x-xss-protection 1; mode=block
expect-ct max-age=7776000, enforce
access-control-allow-origin null
access-control-allow-methods GET,PUT,POST,DELETE
access-control-allow-headers Content-Type, Authorization
x-content-security-policy img-src *; media-src * data:;
x-content-type-options nosniff
content-security-policy report-uri https://brandstart.ie
referrer-policy strict-origin-when-cross-origin
cross-origin-embedder-policy-report-only unsafe-none; report-to="default"
cross-origin-embedder-policy unsafe-none; report-to="default"
cross-origin-opener-policy-report-only same-origin; report-to="default"
cross-origin-opener-policy same-origin-allow-popups; report-to="default"
cross-origin-resource-policy cross-origin
x-frame-options SAMEORIGIN
permissions-policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), document-domain=(), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=(), window-placement=()
feature-policy display-capture 'self'
x-permitted-cross-domain-policies none
x-cache-enabled True
strict-transport-security max-age=63072000; includeSubDomains; preload
link ; rel="https://api.w.org/"
link ; rel="alternate"; type="application/json"
link ; rel=shortlink
x-httpd-modphp 1
host-header 6b7412fb82ca5edfd0917e3957f05d89
x-proxy-cache MISS
x-proxy-cache-info 0 NC:000000 UP:
content-encoding gzip
```
Viewing 2 replies - 1 through 2 (of 2 total)
* [tank](https://wordpress.org/support/users/mrtank/)
* (@mrtank)
* [3 years, 7 months ago](https://wordpress.org/support/topic/duplicate-headers/#post-16101208)
* I would like to second this issue. I am having it on all 27 websites I manage
using this plugin. FYI.
* Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
* (@unicorn03)
* [3 years, 7 months ago](https://wordpress.org/support/topic/duplicate-headers/#post-16102892)
* Hi **[@mrtank](https://wordpress.org/support/users/mrtank/) [@brandstart](https://wordpress.org/support/users/brandstart/)**,
thank you for downloading and using the **Headers Security Advanced & HSTS WP**
plugin.
* I am **Andrea**, I will help you to explain the reason of your issue you are
experiencing.
* Your issue is why when I use the third party tool like _securityheaders.com_
and verify the headers it reports “**duplicate headers**“? Tell me if that is
what you meant?
* The most common case I have verified and encountered over time is the duplication
of the following headers:
- X-Content-Type-Options: There was a duplicate X-Content-Type-Options header.
- X-Frame-Options: There was a duplicate X-Frame-Options header.
- Permissions-Policy: There was a duplicate Permissions-Policy header.
- Strict-Transport-Security: There was a duplicate Strict-Transport-Security
header.
* In this case duplication of headers occurs because the hosting provider of your
web services _(e.g. Godday, Namecheap, Google Domains..)_ uses as a basic configuration
already headers which is usually the minimum to offer. The **Headers Security
Advanced & HSTS WP** plugin, on the other hand, uses different types of headers
and parameters to offer greater protections. These headers are added on the website
configuration side and not the server side (_this can cause the issue you were
experiencing with duplicate headers_).
* To reassure you, you will not experience any penalties, slowdowns or website
and client side issues. In addition, if you use the plugin it will be used as
the primary pre-studied and tested headers.
* I hope I have explained to you in the quickest and easiest way why you are encountering
the warning on security Headers.
* Please do not hesitate to contact me if you have any further concerns or questions
I am here specifically.
Viewing 2 replies - 1 through 2 (of 2 total)
The topic ‘Duplicate headers’ is closed to new replies.
* 
* [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/)
* [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq)
* [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
* [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)
* 3 replies
* 3 participants
* Last reply from: [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
* Last activity: [3 years, 7 months ago](https://wordpress.org/support/topic/duplicate-headers/#post-16102892)
* Status: resolved