False positives?

  • Resolved josflachs

    (@josflachs)


    1 year, 1 month ago

    I’m setting up a site, and am busy installing security. I noticed several false positives reported by Security Ninja:
    – Check if server response headers contain Permissions-Policy
    – Check if server response headers contain Strict-Transport-Security

    This one I find pretty scary:
    The following plugins may not be compatible with your version of WordPress: Classic Editor, Elementor Website Builder – More Than Just a Page Builder, Headers Security Advanced & HSTS WP, WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager, JetFormBuilder — Dynamic Blocks Form Builder, Prevent XSS Vulnerability, Security Ninja – Secure Firewall & Secure Malware Scanner, Sticky Header Effects for Elementor Classic Editor <small>(tested up to 6.7.2)</small>, Elementor Website Builder – More Than Just a Page Builder <small>(tested up to 6.7.2)</small>, Headers Security Advanced & HSTS WP <small>(tested up to 6.7.2)</small>, WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager <small>(tested up to 6.7.2)</small>, JetFormBuilder — Dynamic Blocks Form Builder <small>(tested up to 6.7.2)</small>, Prevent XSS Vulnerability <small>(tested up to 6.7.2)</small>, Security Ninja – Secure Firewall & Secure Malware Scanner <small>(tested up to 6.7.2)</small>, Sticky Header Effects for Elementor <small>(tested up to 6.7.2)</small>

    (everything is the latest version)

    I’m using Ninja Firewall and Headers Security Advanced & HSTS WP which should (and do) cover this warnings. But they are still reported red. Should I worry about that?

    • This topic was modified 1 year, 1 month ago by josflachs.
    • This topic was modified 1 year, 1 month ago by josflachs.
Viewing 1 replies (of 1 total)
  • Plugin Author Lars Koudal

    (@lkoudal)

    1 year, 1 month ago

    Hello @josflachs

    Thanks for reaching out and for sharing the details about the issues you’re encountering.

    Regarding the compatibility warning, it seems like you have updated to WordPress 6.8, which was released just recently. Some plugins, including the ones listed in the warning, may not have been updated to support this latest version of WordPress yet. Notice how some specify – “Tested up to 6.7.2” – The version compatibility that is displayed in the plugin section reflects the last tested version by the plugin developers, so it’s likely that they will update their plugins soon. It’s good you pay attention to these tests, but this is a warning you can ignore for now.

    For the security headers, please double-check if you’re using multiple plugins to manage these headers. For example, the plugins may conflict if both are trying to set the same headers. You only need one plugin to handle each type of security header. If you have multiple plugins trying to set the same header, Security Ninja will report it as a conflict if it detects multiple instances. Make sure to disable the security headers setting in one of the plugins, or use just one plugin for that task to avoid false positives. Try also to check with a third party tool like for instance https://securityheaders.com/

    Let me know if you need further assistance, and I hope this clears things up for you!

Viewing 1 replies (of 1 total)

The topic ‘False positives?’ is closed to new replies.