Security Headers Sent Twice

Resolved amsgator
(@amsgator)

7 years, 3 months ago

I’m using .htaccess to send security headers and on Woo pages (cart, checkout, maybe more) the headers are being sent twice:

x-content-type-options: nosniff
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block

It’s only happening on Woo pages, so I assume Woo is sending the headers a second time.

How can I stop woo from sending them so they aren’t sent twice?

Viewing 5 replies - 1 through 5 (of 5 total)

Phillip C. a11n
(@phillipwoo)

7 years, 2 months ago

Hi @amsgator,

My understanding is that it is actually your web server that is sending the second header. I found a StackExchange question and answer that looks like it is very similar to your issue. Please give this a look and see if the answer gives you any pointers on how to successfully implement your security headers.

https://stackoverflow.com/a/46778999/5672911

Please let me know how this works out for you.

Thanks!

Thread Starter amsgator
(@amsgator)

7 years, 2 months ago

@phillipwoo so I deleted the headers I was adding in htaccess and confirmed that the server isn’t sending any security headers on its own. What’s even more strange is that when I add them back in, it only sometimes sends the headers twice. Sometimes it sends them only once. So I’m not sure what the problem is. Maybe it’s a caching thing, I have no idea.

Phillip C. a11n
(@phillipwoo)

7 years, 2 months ago

Do you have a caching plugin or any kind of CDN? If so, I’d recommend flushing any caches you have access to do with, including your browser cache. Then test again and see if it solves the issue. Sometimes the more persistent caches will hold onto that one thing you don’t want it to. Flushing them and retesting should give you an idea if that is a contributing factor to this.

Thanks!

Thread Starter amsgator
(@amsgator)

7 years, 2 months ago

I do, I’m using WP Fastest Cache but no CDN.

I think (not 100%) that the issue happens on a subsequent page load, and the first page load is fine. Which makes me think it might be the caching plugin or the browser cache.

I’ll jump on over to their side of the forums and see if it’s something they would be caching and if so if there’s a way to fix.

Thanks.

Phillip C. a11n
(@phillipwoo)

7 years, 2 months ago

Okay, please let me know how it goes 🙂

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Security Headers Sent Twice’ is closed to new replies.