Hi @jpfssi,
It does appear that these Security Headers are already correctly being set on your site (you can view the test results here), so I expect that the Site Health notice about them, might still be ‘cached’.
The message should therefore disappear over time, but it does look like these headers have already been set correctly!
Kind regards, Jarno
Thread Starter
jpfssi
(@jpfssi)
Thank you for the quick response. I should have been more clear. Yes you are correct. However, the website in question is https://fssi-splash.com/stage. I did test the /stage site at the link you provided and that also shows that the headers are installed correctly.
I’ve had this issue for over a month already. The non-staging site took less than a week for the security header recommendations to go away but the /stage site recommendations are still there.
Hello @jpfssi,
That explains why, on the /stage/ URL the headers as mentioned in your post are not being set at the moment.
Please see the test results here: https://securityheaders.com/?q=https%3A%2F%2Fwww.fssi-splash.com%2Fstage%2F&followRedirects=on
After these headers are inserted, the Site Health message should disappear just like it did on the ‘main’ site.
Kind regards, Jarno
Thread Starter
jpfssi
(@jpfssi)
Since there was an update this morning to the plugin, I went ahead and updated. I noticed the results of the main site has changed from when you did your scan to the current results. I assume it was due to the update this morning and that it will take some time to propagate the correct header settings again.
However, I haven’t made any updates to the headers before or after the plugin update earlier today. I did test the /stage site earlier (before the update) and got the same A+ result as the main site before the update. I did double check the header settings to see if the settings are still there and settings have not changed.
I will check again later to see if the results have changed again. I’ll come back here to see if the /stage site still has the same issue and if the main site is still showing a lower grade result.
Thread Starter
jpfssi
(@jpfssi)
I found that updating the plugin from last week has removed the settings I manually added within the #Begin Really Simple Security and #End Really Simple Security causing all the security header recommendations to get flagged. I added the manual settings in and now recommendations are good with the ‘main’ site. It took a few days for the recommendations to disappear but eventually it did on the ‘main’ site.
However, when it comes to the staging site, I’m still getting the same security header recommendations even though these same issues has been resolved on the ‘main’ site and both staging and main sites have the same security settings in place. Here are the recommendations for the staging site based off the RS SSL plugin:
- Upgrade Insecure Requests
- X-XSS protection
- Referrer-Policy
- Permissions-Policy
Is there another way to resolve these issues on the staging site (http://fssi-splash.com/stage/)?
Thread Starter
jpfssi
(@jpfssi)
I noticed that there was another update to the plugin and I went ahead and updated, however, there was still no resolution to the staging site issue. The same 3 security recommendations are still coming up:
Upgrade Insecure Requests
Permissions-Policy
HTTP Strict Transport Security
These security recommendations have been added to the htaccess file and are resolved in the live site (http://fssi-splash.com/) but still showing up in the staging site (http://fssi-splash.com/stage/).
Hi @jpfssi,
The Security Headers test for the /stage/ domain seems to display that those headers are now added. https://securityheaders.com/?q=https%3A%2F%2Fwww.fssi-splash.com%2Fstage%2F
Are you still experiencing any issues?
Thread Starter
jpfssi
(@jpfssi)
Yes, I just checked and unfortunately the recommendations are still coming up under the Tools > Site Health. It’s still the same 3 security headers. I checked one of our other websites with a similar main and staging setup and that too is still showing the same exact headers. I updated the plugin yesterday.
-
This reply was modified 3 years ago by
jpfssi.
Hi @jpfssi,
As it works on the main site, and if the .htaccess files are also identical, that makes further troubleshooting from our end a bit of a challenge.
I see that the headers are correctly set in the Security Header test, and as it concerns the staging site, the quick-fix would be to enable the “Dismiss all notices” option in Really Simple SSL on the staging site, which would clear the Site Health notice.
Kind regards, Jarno
Thread Starter
jpfssi
(@jpfssi)
I found the “Dismiss all notices” setting and that did remove the recommendation, but would that mean that any issues that come up will not show up in the site health status?
Hi @jpfssi,
Yes, that would be the case (for the /stage/ environment only, provided that you’ve only enabled the option on that environment).
Just to add a bit of further clarification to the above, it would only apply to notices added by the Really Simple SSL plugin.
Thread Starter
jpfssi
(@jpfssi)
Got it. I went ahead and disabled the notices in the staging sites. Please let me know if there is a resolution to this issue in the future. This has been something we noticed for the last few months and have not found a proper solution.
