Title: Feature-Policy PHP error
Last modified: March 29, 2019

---

# Feature-Policy PHP error

 *  Resolved [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 2 months ago](https://wordpress.org/support/topic/feature-policy-php-error/)
 * I am running Version 1.12.1. If I enable the Feature Policy, my pages are preceded
   with errors like the following. Line 437 in my installation looks like:
    `foreach(
   $feature_policy_feature as $feature => $whatever)`
 *     ```
       Warning: Invalid argument supplied for foreach() in /[redacted]/wp-content/plugins/http-headers/http-headers.php on line 437
   
       Warning: Cannot modify header information - headers already sent by (output started at /[redacted]/wp-content/plugins/http-headers/http-headers.php:437) in /[redacted]</wp-content/plugins/http-headers/http-headers.php on line 547
   
       Warning: Cannot modify header information - headers already sent by (output started at /[redacted]/wp-content/plugins/http-headers/http-headers.php:437) in /[redacted]/wp-content/plugins/http-headers/http-headers.php on line 547
       ```
   
    -  This topic was modified 7 years, 2 months ago by [Gord](https://wordpress.org/support/users/alinod/).
      Reason: Formatting issue fixed

Viewing 14 replies - 1 through 14 (of 14 total)

 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11400084)
 * Hi [@alinod](https://wordpress.org/support/users/alinod/)
 * This error has been fixed in the newest version 1.12.2
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11408900)
 * Hi [@zinoui](https://wordpress.org/support/users/zinoui/),
 * Thanks for releasing an update to address the error messages. The good news is
   that the “fix” makes the errors disappear. The bad news is that it still does
   not insert a Feature-Policy header into the responses.
 * Also, after updating to 1.12.2, I no longer have any settings in my Content-Security-
   Policy header control panel. In the new UI, all of the checkboxes are deselected
   and the textboxes are empty; my previous settings are all gone. The only thing
   retained was the “on” radio button setting.
 * Furthermore (because of the missing settings?) there is no longer a CSP header
   in the responses.
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11408912)
 * I just realized that you marked this as resolved. Should I be opening a new thread
   to continue with these 3 issues?
    -  This reply was modified 7 years, 1 month ago by [Gord](https://wordpress.org/support/users/alinod/).
      Reason: Marked ticket as not resolved
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11408993)
 * Dimitar, Here is some more good news: it appears that the CSP settings are not“
   gone” as I previously reported. I found the original settings are still in the
   database. The settings are simply not being used.
 *  [jessner](https://wordpress.org/support/users/jessner/)
 * (@jessner)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11409055)
 * I found the same with my account. Be careful not to save any changes using the
   updated plugin until this issue is resolved. I did so last night and it wiped
   all existing header settings and took down my website. I had to restore my .htaccess
   file from backup. Not fun…
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11409724)
 * Thanks for the warning [@jessner](https://wordpress.org/support/users/jessner/).
   I’m using PHP mode, but that doesn’t mean it wouldn’t wipe the data from the 
   database on me. I’ll hold off on saving any changes until [@zinoui](https://wordpress.org/support/users/zinoui/)
   fixes the new issues. In fact, I think I’ll take a snapshot of the database and
   my .htaccess file, just for my own peace of mind.
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11421757)
 * [@zinoui](https://wordpress.org/support/users/zinoui/), it’s been 3 days. Can
   you post a link to the 1.12.1 version so that I can re-install that and get my
   CSP header working again while you fix all the problems introduced in 1.12.2?
 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11422381)
 * [@alinod](https://wordpress.org/support/users/alinod/)
 * I just tested the **Feature-Policy** header in both modes – Apache and PHP. It
   works as expected.
 * Did you try to transform your current CSP settings found in your database to 
   the new UI?
 * However, here the links to v1.12.1
    [http://plugins.svn.wordpress.org/http-headers/tags/1.12.1/](http://plugins.svn.wordpress.org/http-headers/tags/1.12.1/)
   [https://downloads.wordpress.org/plugin/http-headers.1.12.1.zip](https://downloads.wordpress.org/plugin/http-headers.1.12.1.zip)
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11425949)
 * [@zinoui](https://wordpress.org/support/users/zinoui/),
 * == **Feature-Policy** ==
    With respect to the Feature-Policy, for me the expected
   behaviour is:
    - that the site will inject a Feature-Policy header into the responses.
    - that the “inspect headers” feature of your plug=in will list Feature-Policy
      with its value in the “Response headers” section and omit it from the “Missing
      headers” section.
 * I am not observing either of these.
 * == **Content-Security-Policy** ==
    With respect to the CSP policy, I didn’t see
   a “transform” option anywhere. I have an “Edit” link on the security dashboard.
   That link takes me to the new UI, but I don’t see a “transform” button or link
   on that page, either. Please provide more details on how to use the transform
   feature. Or even better, make the transformation automatic.
    -  This reply was modified 7 years, 1 month ago by [Gord](https://wordpress.org/support/users/alinod/).
      Reason: Fixed formatting errors
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11425960)
 * For further information, I also tried it in Apache mode and got the following
   lines added to my .htaccess file (with both CSP and FP enabled):
 *     ```
       # BEGIN HttpHeaders
       <IfModule mod_headers.c>
         Header always set X-Content-Type-Options "nosniff"
         <FilesMatch "\.(php|html)$">
           Header set X-XSS-Protection "1; mode=block"
           Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
           Header set Referrer-Policy "strict-origin"
           Header set Expect-CT 'max-age=3600, report-uri="https://[REDACTED]"'
         </FilesMatch>
       </IfModule>
       # END HttpHeaders
       ```
   
 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11426737)
 * It seems that for some reason it’s not working on your side. Maybe the values
   in the database are invalid.
 * This is how to view the Feature Policy settings in your database:
    `SELECT * 
   FROM wp_options WHERE option_name LIKE 'hh_feature_policy%';`
 * the `hh_feature_policy` value should be 1
    the values of `hh_feature_policy_feature`,`
   hh_feature_policy_origin`, and `hh_feature_policy_value` should be a serialized
   array.
 * If there is something incorrect, you may empty their values like this:
    `UPDATE
   wp_options SET option_value = '' WHERE option_name IN ('hh_feature_policy_feature','
   hh_feature_policy_origin', 'hh_feature_policy_value');`
 * Then go to Dashboard/Security/Feature Policy page and setup the policy ones again.
 * Hope this helps you.
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11427273)
 * **Feature Policy**
    Alright. I found the problem by looking at your source code.
   The problem is not technical; it’s poor UI design. It is not sufficient to put
   a value in each option, you must also click the checkbox next to it. After clicking
   the checkboxes, I now see the Feature-Policy header and get a green check mark
   on [securityheaders.com](https://securityheaders.com/). I have to say that the
   old UI was far more intuitive. This one is excessively long and not at all helpful.
 * **Content-Security-Policy**
 * > Please provide more details on how to use the transform feature. Or even better,
   > make the transformation automatic.
 * This is vital because right now I have to choose between:
    1. Moving forward without CSP
    2. Rolling back to 1.12.1 to get CSP working but giving up on FP and any future
       updates
    3. Switching to a different plugin
 * **Notes**
    For future reference, if you’re going to break backward compatibility,
   this should be done in a major version number (or at most a minor version number).
   This way people are more prepared for things breaking. And you need to call attention
   to this new transformation requirement before making the change to their production
   sites.
 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11428019)
 * I’m glad you already know how to use the UI.
 * For the record there is nothing wrong with Feature Policy header page.
 * Also, thank you for your feedback about the UI.
 *  Thread Starter [Gord](https://wordpress.org/support/users/alinod/)
 * (@alinod)
 * [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11429674)
 * Acknowledged, the Feature-Policy now works “as expected”. It simply needs documentation
   or a more intuitive interface so that the end user knows what the expectation
   is.
 * As an enhancement request, a Header Preview feature on the configuration page
   would show what the header would look like before saving the changes. This would
   be very helpful for troubleshooting and for avoiding downtime like what [@jessner](https://wordpress.org/support/users/jessner/)
   experienced.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Feature-Policy PHP error’ is closed to new replies.

 * ![](https://ps.w.org/http-headers/assets/icon-128x128.png?rev=1413576)
 * [HTTP Headers](https://wordpress.org/plugins/http-headers/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/http-headers/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/http-headers/)
 * [Active Topics](https://wordpress.org/support/plugin/http-headers/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/http-headers/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/http-headers/reviews/)

 * 14 replies
 * 3 participants
 * Last reply from: [Gord](https://wordpress.org/support/users/alinod/)
 * Last activity: [7 years, 1 month ago](https://wordpress.org/support/topic/feature-policy-php-error/#post-11429674)
 * Status: resolved