PHP Warning: Array to string conversion

Hello. Thank you for the plugin. I originally posted this as a comment in a relevant thread, but it was somehow deleted. Therefore, I am trying to bring attention to the issue of the plugin’s code quality with a separate post in a more detailed form.

In various configurations (when running a WP site in Docker with Nginx and Varnish, including a clean setup without other plugins), frequent errors of the following type can be encountered:

PHP Warning: Array to string conversion in /plugins/breeze/inc/cache/execute-cache.php on line 540
PHP Warning: Array to string conversion in /plugins/breeze/inc/cache/execute-cache.php on line 554

The problem is that, judging by the code in execute-cache.php, you expect string variables to be passed to header(). However, in reality, this is not always the case.

In $data on line 539, on different sites where I installed the plugin, I’ve observed the following (for example):

array (
  'name' => 'x-xss-protection',
  'value' =>
  array (
    0 => '1; mode=block',
    1 => '1; mode=block',
  ),
)

The reason for this is that some plugins, themes, and server software can add headers at different stages of page generation. While this might not be a completely normal situation because it can lead to values that are not correctly interpreted by the browser, it does happen and needs to be considered. The Breeze plugin, as far as I can see, does not take this situation into account.

You should simply add a check there for the presence of an array and take only one value. Perhaps even warn the user that such a problem exists.

There is also another issue with header() in execute-cache.php: working directly with header is insecure and often redundant. Frankly, I didn’t understand why this is even needed in a caching plugin, but if it is indeed necessary, then you should at least take care to filter headers from newline characters to avoid accidentally creating a situation where multiple headers can be passed through a single variable.