Hi – today i tried to configure the CSP feature. I added a directive for script-src. It had no effect. Then i checked the .htaccess and noticed, no entry for CSP present. The next test was to disable the plugin and to check the .htaccess file. Everything related to w3tc was, as i expected, gone. But when i activated the plugin again, the .htaccess did not update at all. I had to reinstall my backup from .htaccess. What is going on here? Is there a way to tell the plugin to update .htaccess? By the way, all my custom rules are labeled with #Begin… and #End… Thanks for any info Theo
This topic was modified 1 year, 10 months ago by timholz.
The page I need help with: [log in to see the link]
Thank you for reaching out and I am happy to help! I’ve just tested this and enabled Content Security Policy in Performance>Browser Cache>Security headers and set script-src: to self Once I saved all settings and purged the cache I was able to see the header: content-security-policy:script-src ‘self’
I can see that also when inspecting your website:
As for the .htaccess, the W3TC does add the rules:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'"
</IfModule> # END W3TC Browser Cache
As you can see just before END W3TC Browser Cache
Can you please share your .htaccess file and what you see there in the Browser Cache section?
@vmarko – thanks for responding. Yes, that’s right the csp is indeed appearing in the response headers. But unfortunately, the script-src directives, that i added in the browser cache section, is not updated in .htaccess. That’s the problem. How can i share .htaccess (it is quite big)? As for the settings in the cache section, i could provide a json file (from the export section). I could upload everthing to dropbox. By the way, exporting the plugin settings open a new browser tab and the settings are one big compressed json. That too, is a bit strange, cause in former versions the json was properly formatted and downloaded to my download folder… Thanks a lot for your interest and time. regards theo
Thank you for your feedback. Please check the Performance>Install section of the plugin and see if those rules are there. You can use https://pastebin.com/ and share the link. As for the .json file, i tried to replicate this, however, I always get the .json file downloaded. So it appreas that the problem is with some browser cache or browser extensions. Please check other browsers and see if it works. Thanks!
@vmarko Hi – Thanks for responding. The json is under: https://pastebin.com/dQTdNve3 and htaccess: https://pastebin.com/cNtPyuTf As for the rules under Performance>Installer, i can see some rules, but i do not know what rules you are referring to. I tested downloading the plugin settings in various browsers. The behaviour described above is consistent. Please let me know, when you are done with viewing the files in pastebin. regards theo
@vmarko hi – i checked with another site in dev-mode and encountered similar problems. The .htaccess is not updated when changing the settings. I also tried altering the settings «with all in one wordpress security» plugin disabled. Same result. Exporting the plugin settings however worked well. regards theo
I can see the Header set Content-Security-Policy “script-src ‘self'” in your .htaccess that is commented out with the # It appears taht you are using some other plugin or some custom rules for security headers and that is creating some kind of conflict. Are you using anything else besides W3TC to set this up?
@vmarko Hi -thanks for the message. Yes, it has # before that line, but that was me, not a plugin, who wrote that sign. The transfer from the plugin settings to htaccess is not happening, that’s why i altered it manually. The problem persists, i reinstalled w3tc, disabled the security plugin, but it stays the same. htaccess is not changing… bye bye
The other W3TC rules are added as you can see in the .htaccess you shared. So please let me know when you enable those in the security settings, do you see those rules applied in the Performance>Install section It should look something like this depending on the settings:
@vmarko Hi – i do not enable anything in the security plugin. I just disabled the plugin to check any interference with w3tc. And yes, the rules are present under performance>install. As i said, the problem persists not only with one website, but rather several. So, inspite of the great performance of w3tc, i can’t help but thinking of a new way. The plugin settings are not communicating with htaccess. Have a nice evening
