SSL headers are displayed incorrectly

  • Resolved Esmertec

    (@esmertec)


    1 year, 4 months ago

    Hi! After updating Really Simple Security (RSS), the site health tab does not correctly display a notification that the site’s security headers are not configured. I rechecked all the parameters and they are more than fine, it is obvious that the bug is in the plugin itself, or rather in the display of site problems.

    root@geek-speak:~# curl -I geek-speak.ru
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Tue, 21 Jan 2025 15:41:53 GMT
    Content-Type: text/html; charset=iso-8859-1
    Connection: keep-alive
    Strict-Transport-Security: includeSubDomains; preload; max-age=63072000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Expect-CT: max-age=7776000, enforce
    Referrer-Policy: strict-origin-when-cross-origin
    Content-Security-Policy: upgrade-insecure-requests
    Permissions-Policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
    Location: https://geek-speak.ru/
    Strict-Transport-Security: includeSubDomains; preload; max-age=63072000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Expect-CT: max-age=7776000, enforce
    Referrer-Policy: strict-origin-when-cross-origin
    Content-Security-Policy: upgrade-insecure-requests
    Permissions-Policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()

    It’s also not clear why they impose a firewall on me, given that this is a paid option and I cannot disable this notification (orange option 1 and 2)

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Jarno Vos

    (@jarnovos)

    1 year, 4 months ago

    Hi @esmertec,

    Indeed, the Security Header test results of your site look perfectly fine. The Site Health notice is cached for performance reasons, so the notice about these headers might not disappear immediately upon configuring the recommended Security Headers.

    The notices about Limit Login Attempts and the Firewall will disappear if you enable the relevant functionality, which can be either in our plugin, or in another plugin that also includes said functionality.

    But if you don’t want to see any of these Site Health notices at all, you can simply activate the setting “Dismiss all notifications” under Security -> Settings -> General and they will disappear regardless of your configuration.

    Hope it helps/clarifies. Kind regards, Jarno

    • This reply was modified 1 year, 4 months ago by Jarno Vos. Reason: typo
    Thread Starter Esmertec

    (@esmertec)

    1 year, 4 months ago

    Hi @jarnovos, thx for the answer!

    An error about incorrect headers appeared after the last update of the plugin, I understand that this may not be an error, but after checking and convincing that the problem is not with my site, I decided to write a small bug report.

    Regarding disabling notifications from the plugin, also thanks for the advice, but I don’t want to do this because the RSS plugin notifies about “bad” plugins, which is extremely useful, and constantly monitoring their status is not always convenient.

    Plugin Support Jarno Vos

    (@jarnovos)

    1 year, 4 months ago

    Hi @esmertec,

    Yes, I can definitely understand why you wouldn’t want to disable all notifications, such as the ones about vulnerable plugins being detected on your site.

    If you just want to get rid of these Site Health notices (specifically the ones about LLA / Firewall / Security Headers), you could use a code snippet like the one below to manually remove these.

    You can add this code in a new .php file and place it in the /wp-content/mu-plugins/ folder on your site for it to take effect.

    <?php
// Removes the 2FA, LLA, Firewall and Security Headers notice from Site Health overview
add_filter('site_status_tests', 'remove_rsssl_tests', 10, 1);

function remove_rsssl_tests($tests) {
    if (isset($tests['direct']['headers_test'])) {
        unset($tests['direct']['headers_test']);
    }

    if (isset($tests['direct']['rsssl_firewall_test'])) {
        unset($tests['direct']['rsssl_firewall_test']);
    }

    if (isset($tests['direct']['rsssl_lla_test'])) {
        unset($tests['direct']['rsssl_lla_test']);
    }

    if (isset($tests['direct']['rsssl_2fa_test'])) {
        unset($tests['direct']['rsssl_2fa_test']);
    }

    return $tests;
}

    Hope this helps. Kind regards, Jarno

    Thread Starter Esmertec

    (@esmertec)

    1 year, 4 months ago

    @jarnovos, the matter turned out to be much simpler than I thought, I simply turned off the plugin and turned it on again, the notification about headers disappeared after this operation) I also installed a free third-party firewall to test the functions. There is one notification left in site health about the need to limit user login attempts.

    P.S. I don’t want to buy any functions in plugins yet, since the audience of my site is too insignificant, so I want to get by with minimal costs for now =)) in theory the easiest way out of the situation is to buy the pro version from rsssl =D

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘SSL headers are displayed incorrectly’ is closed to new replies.