Doubled up headers
I am running through some security checks on a site about to launch, and am getting warnings on my content sniffing, clickjacking and XSS protection. I am setting the following in my htaccess:
Header set X-Frame-Options: "DENY" Header set X-XSS-Protection: "1; mode=block" Header set X-Content-Type-Options "nosniff"
And those headers appear correctly for things like images, however any page where Perch is included they are doubled up - see below (this is my site's
Cache-Control max-age=0 Connection Keep-Alive Content-Encoding gzip Content-Type text/html; charset=UTF-8 Date Thu, 21 Jun 2018 15:07:02 GMT Expires Thu, 21 Jun 2018 15:07:02 GMT Keep-Alive timeout=5, max=100 Server Apache Strict-Transport-Security max-age=63072000; includeSubDomains; preload Transfer-Encoding chunked Vary Accept-Encoding,User-Agent X-Content-Type-Options nosniff X-Content-Type-Options nosniff X-Frame-Options deny X-Frame-Options DENY X-XSS-Protection 1; mode=block X-XSS-Protection 1; mode=block
Now I can remove them from my htaccess but that would mean anything not including Perch wouldn't have the protection. Would you be able to shed some light on what is causing this, and if there is anything I can do to address? My diagnostics are below.
Thanks for your help
Perch: 3.1.1, PHP: 5.6.36, MySQL: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $, with PDO Server OS: Linux, cgi-fcgi Installed apps: content (3.1.1), assets (3.1.1), categories (3.1.1), perch_blog (5.6.1), perch_forms (1.11), perch_twitter (4.0) App runtimes: <?php $apps_list = [ 'perch_blog', 'perch_forms', 'perch_twitter' ]; PERCH_LOGINPATH: /admin PERCH_PATH: /home/giantcreativedev/public_html/baxters/admin PERCH_CORE: /home/giantcreativedev/public_html/baxters/admin/core PERCH_RESFILEPATH: /home/giantcreativedev/public_html/baxters/admin/resources Image manipulation: GD Imagick PHP limits: Max upload 12M, Max POST 12M, Memory: 64M, Total max file upload: 12M F1: 3b606135b33e6a102526838f4152a807 Resource folder writeable: Yes DOCUMENT_ROOT: /home/giantcreativedev/public_html/baxters HTTP_HOST: baxters.giantcreativedevelopment.co.uk REQUEST_URI: /admin/core/settings/diagnostics/ SCRIPT_NAME: /admin/core/settings/diagnostics/index.php