Title: HSTS Header
Last modified: March 18, 2024

---

# HSTS Header

 *  Resolved [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * (@senjoralfonso)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/)
 * Hello, I have disabled the HSTS Header in NJFW, but it still loads. But because
   I set it in NGINX, it now gets loaded twice. Please fix this. 🙁

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17514800)
 * Do you have any caching application or a CDN that may have cached the headers?
 *  Thread Starter [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * (@senjoralfonso)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17515689)
 * Hello, no sir, we are using indeed wp rocket, but on the cache delivered pages,
   the headers are not saved, only on the real time ones it is sent twice (I think
   because php is not executed on the cache).
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17518656)
 * How did you check your HTTP headers ? Did you try from a terminal, by running
   this command: `curl -I https://your-site.com`
   Did you try to disable NinjaFirewall
   from the “Plugins” page, and check your HTTP headers to see if they are gone ?
 *  Thread Starter [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * (@senjoralfonso)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17521867)
 * Hello, I found the problem over ssllabs.com, reviewed it in the browser console
   and tested with [https://securityheaders.com](https://securityheaders.com)
 * “Strict-Transport-SecurityThere was a duplicate Strict-Transport-Security header.”
 * If I deactivate Ninja Firewall, the warning seems to be gone.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17523740)
 * I tried the site but it cached the results. Can you try either from curl command
   line, or by clicking the “NinjaFirewall > Firewall Policies > Advanced Policies
   > HTTP headers test” button ?
 *  Thread Starter [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * (@senjoralfonso)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17533702)
 * Hey, this is the output:
 *     ```wp-block-code
       access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONSaccess-control-allow-origin: *cache-control: no-cache, must-revalidate, max-age=0, no-store, privatecontent-encoding: brcontent-security-policy: base-uri 'self'; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.domain.com domain.com *.domain.com; style-src 'self' 'unsafe-inline' *.domain.com domain.com *.domain.com; img-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com *.domain.org *.domain.com *.domain.com image.domain.com domain.com *.domain.com *.domain.com; media-src 'self' *.domain.com domain.com; font-src 'self' data: *.domain.com domain.com *.domain.com *.domain.com; object-src 'self' *.domain.com domain.com; child-src 'self' blob: *.domain.com domain.com *.domain.com; manifest-src 'self' *.domain.com domain.com *.domain.com; connect-src 'self' *.domain.com domain.com api.domain.com domain.com *.domain.com domain.org api.domain.org; form-action 'self' *.domain.com domain.com *.domain.de; frame-ancestors 'self'; frame-src 'self' data: domain.com;content-type: text/html; charset=UTF-8cross-origin-embedder-policy: same-origincross-origin-opener-policy: same-origincross-origin-resource-policy: cross-origindate: Wed, 27 Mar 2024 21:45:59 GMTexpect-staple: max-age=31536000; preloadexpires: Wed, 11 Jan 1984 05:00:00 GMTlink: https://www.domain.com/wp-json/; rel="https://api.w.org/", https://www.domain.com/wp-json/wp/v2/pages/7703; rel="alternate"; type="application/json", https://www.domain.com/; rel=shortlinkpermissions-policy: trust-token-re
       ```
   
 *  Thread Starter [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * (@senjoralfonso)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17533755)
 * I am so sorry, I found the problem. The plugin cf7_antispam sets the header, 
   and this got cached in redis…

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘HSTS Header’ is closed to new replies.

 * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137)
 * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/)
 * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/)

 * 7 replies
 * 2 participants
 * Last reply from: [WebCodePoet](https://wordpress.org/support/users/senjoralfonso/)
 * Last activity: [2 years, 2 months ago](https://wordpress.org/support/topic/hsts-header/#post-17533755)
 * Status: resolved