Needs apache_response_headers to be implemented

  • Resolved SoN9ne

    (@son9ne)


    5 years, 1 month ago

    The recommended security headers will always show false values if the server is configured to use these headers.

    Adding apache_response_headers would help identify headers that Apache is configured for as the current implementation only deals with .htaccess edits.

    Since .htaccess is the only checks being done, this plugin is not really that efficient and will give you false values. Given the size of the alerts section, this can be very frustrating.

    Also, an update to validate response headers would be ideal too. Especially for duplicate headers as this can have negative affects and can cause unexpected issues. Strict-Transport-Security is an example of such an response header.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    5 years, 1 month ago

    Hi @son9ne,

    Thanks for the feedback. À branch to improve this is in progress, where the actual headers will be detected, be it nginx, Apache, or any other server setup. This will resolve both duplicate headers as well as false positives on missing headers.

    Thread Starter SoN9ne

    (@son9ne)

    5 years, 1 month ago

    Sounds good @rogierlankhorst. I look forward to the update.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Needs apache_response_headers to be implemented’ is closed to new replies.