Forum

Thread tagged as: Problem

Doubled up headers

Hi,

I am running through some security checks on a site about to launch, and am getting warnings on my content sniffing, clickjacking and XSS protection. I am setting the following in my htaccess:

Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options "nosniff"

And those headers appear correctly for things like images, however any page where Perch is included they are doubled up - see below (this is my site's index.php):

Cache-Control   max-age=0
Connection  Keep-Alive
Content-Encoding    gzip
Content-Type    text/html; charset=UTF-8
Date    Thu, 21 Jun 2018 15:07:02 GMT
Expires Thu, 21 Jun 2018 15:07:02 GMT
Keep-Alive  timeout=5, max=100
Server  Apache
Strict-Transport-Security   max-age=63072000; includeSubDomains; preload
Transfer-Encoding   chunked
Vary    Accept-Encoding,User-Agent
X-Content-Type-Options  nosniff
X-Content-Type-Options  nosniff
X-Frame-Options deny
X-Frame-Options DENY
X-XSS-Protection    1; mode=block
X-XSS-Protection    1; mode=block

Now I can remove them from my htaccess but that would mean anything not including Perch wouldn't have the protection. Would you be able to shed some light on what is causing this, and if there is anything I can do to address? My diagnostics are below.

Thanks for your help

Mike

    Perch: 3.1.1, PHP: 5.6.36, MySQL: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $, with PDO
    Server OS: Linux, cgi-fcgi
    Installed apps: content (3.1.1), assets (3.1.1), categories (3.1.1), perch_blog (5.6.1), perch_forms (1.11), perch_twitter (4.0)
    App runtimes: <?php $apps_list = [ 'perch_blog', 'perch_forms', 'perch_twitter' ];
    PERCH_LOGINPATH: /admin
    PERCH_PATH: /home/giantcreativedev/public_html/baxters/admin
    PERCH_CORE: /home/giantcreativedev/public_html/baxters/admin/core
    PERCH_RESFILEPATH: /home/giantcreativedev/public_html/baxters/admin/resources
    Image manipulation: GD Imagick
    PHP limits: Max upload 12M, Max POST 12M, Memory: 64M, Total max file upload: 12M
    F1: 3b606135b33e6a102526838f4152a807
    Resource folder writeable: Yes
    DOCUMENT_ROOT: /home/giantcreativedev/public_html/baxters
    HTTP_HOST: baxters.giantcreativedevelopment.co.uk
    REQUEST_URI: /admin/core/settings/diagnostics/
    SCRIPT_NAME: /admin/core/settings/diagnostics/index.php
Mike Harrison

Mike Harrison 37 points

  • 3 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

3 years ago

It's not necessarily a problem to have the header set twice, but yes, you can turn it off.

define('PERCH_SECURITY_HEADERS', false);
Mike Harrison

Mike Harrison 37 points

3 years ago

Thanks Drew - as you say I don't think it would be a problem to have duplicates but it gets me a tick on the site security test, which I need for signoff.

Cheers for the help as always

Mike