Duplicate headers

  • argusnet

    (@argusnet)


    1 month, 1 week ago

    I don’t think this is a security issue, but am curious as to why there are duplicate headers displayed in the Google Inspector network tab. Are they being set at two different places. Maybe one is on the server hosting the site and the second at a gateway or some other system in front of the server.
    These don’t show up when I run a scan through securityheaders.com

    cross-origin-embedder-policy unsafe-none; report-to=’default’

    cross-origin-embedder-policy unsafe-none; report-to=’default’

    cross-origin-embedder-policy-report-only unsafe-none; report-to=’default’

    cross-origin-embedder-policy-report-only unsafe-none; report-to=’default’

    cross-origin-opener-policy unsafe-none

    cross-origin-opener-policy unsafe-none

    cross-origin-opener-policy-report-only unsafe-none; report-to=’default’

    cross-origin-opener-policy-report-only unsafe-none; report-to=’default’

    cross-origin-resource-policy cross-origin

    cross-origin-resource-policy cross-origin

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author Andrea Ferro

    (@unicorn03)

    1 month, 1 week ago

    Hi @argusnet,
    You’re right, this is not a security issue but it’s a common scenario.


    What you’re seeing happens because your hosting provider (or a CDN/proxy in front of your server) is already setting some basic security headers, and then the plugin adds its own. The result is duplicate headers.


    The reason securityheaders.com doesn’t show duplicates is that it typically only reads the first or last occurrence of each header, while Chrome DevTools shows everything that’s actually being sent.
    To fix this: Go to Settings > Headers Security Advanced & HSTS WP, then scroll to the “Hide duplicate headers” section. There you can check the boxes for the headers that are being duplicated, the plugin will then avoid setting those specific headers, letting your hosting’s configuration take precedence (or vice versa, depending on your preference).


    Let me know if you need any help identifying which headers are coming from where

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.