Forum
Doubled up headers
Hi,
I am running through some security checks on a site about to launch, and am getting warnings on my content sniffing, clickjacking and XSS protection. I am setting the following in my htaccess:
Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options "nosniff"
And those headers appear correctly for things like images, however any page where Perch is included they are doubled up - see below (this is my site's index.php
):
Cache-Control max-age=0
Connection Keep-Alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Thu, 21 Jun 2018 15:07:02 GMT
Expires Thu, 21 Jun 2018 15:07:02 GMT
Keep-Alive timeout=5, max=100
Server Apache
Strict-Transport-Security max-age=63072000; includeSubDomains; preload
Transfer-Encoding chunked
Vary Accept-Encoding,User-Agent
X-Content-Type-Options nosniff
X-Content-Type-Options nosniff
X-Frame-Options deny
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
X-XSS-Protection 1; mode=block
Now I can remove them from my htaccess but that would mean anything not including Perch wouldn't have the protection. Would you be able to shed some light on what is causing this, and if there is anything I can do to address? My diagnostics are below.
Thanks for your help
Mike
Perch: 3.1.1, PHP: 5.6.36, MySQL: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $, with PDO
Server OS: Linux, cgi-fcgi
Installed apps: content (3.1.1), assets (3.1.1), categories (3.1.1), perch_blog (5.6.1), perch_forms (1.11), perch_twitter (4.0)
App runtimes: <?php $apps_list = [ 'perch_blog', 'perch_forms', 'perch_twitter' ];
PERCH_LOGINPATH: /admin
PERCH_PATH: /home/giantcreativedev/public_html/baxters/admin
PERCH_CORE: /home/giantcreativedev/public_html/baxters/admin/core
PERCH_RESFILEPATH: /home/giantcreativedev/public_html/baxters/admin/resources
Image manipulation: GD Imagick
PHP limits: Max upload 12M, Max POST 12M, Memory: 64M, Total max file upload: 12M
F1: 3b606135b33e6a102526838f4152a807
Resource folder writeable: Yes
DOCUMENT_ROOT: /home/giantcreativedev/public_html/baxters
HTTP_HOST: baxters.giantcreativedevelopment.co.uk
REQUEST_URI: /admin/core/settings/diagnostics/
SCRIPT_NAME: /admin/core/settings/diagnostics/index.php
It's not necessarily a problem to have the header set twice, but yes, you can turn it off.
Thanks Drew - as you say I don't think it would be a problem to have duplicates but it gets me a tick on the site security test, which I need for signoff.
Cheers for the help as always
Mike