You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running WordPress 4.7.1 with the WP-Piwik plugin and a self-hosted Piwik installation on the same server.
While I was running Piwik 3.0.1 previously, I noticed that my website - not the Piwik page but the actual WordPress website - was getting an empty X-Frame-Options header (ie. with no value at all), whenever I configured the WP-Piwik plugin to use Piwik Mode: "Self-hosted (PHP API)".
This was in addition to the X-Frame-Options header that I had defined in my .htaccess file, meaning that the website was generating two X-Frame-Options headers: one empty (from Piwik) and the other with a valid value (from .htaccess).
In addition, I also saw that I was getting an empty "Pragma" header and an empty "Expires" header as well, when using PHP API.
However, if I changed the Piwik Mode to "Self-hosted (HTTP API)", then the empty X-Frame-Options header was no longer generated - and nor were the empty Pragma and Expires headers - and I was left with just the legitimate header from .htaccess.
TODAY:
Today I installed Piwik 3.0.2-b5 as requested in Issue #10167. My testing shows that the empty X-Frame-Options header no longer shows up at all, regardless of what the Piwik Mode is set to. This is good news!
However, I still have the empty Pragma and Expires showing up when Piwik Mode is set to PHP API. I have no idea why but I'd like to fix it. In addition, an extra Cache-Control header is also generated, with a value of "must-revalidate". This clashes with the Cache-Control header I have already defined in my .htaccess.
As you can see, the only difference between the two is the addition of the empty Pragma and Expires header, and the additional Cache-Control header, when using PHP API. All of the other security headers here are coming from my .htaccess.
Any ideas?
The text was updated successfully, but these errors were encountered:
This issue relates to the discussion at #10167.
BACKGROUND:
I'm running WordPress 4.7.1 with the WP-Piwik plugin and a self-hosted Piwik installation on the same server.
While I was running Piwik 3.0.1 previously, I noticed that my website - not the Piwik page but the actual WordPress website - was getting an empty X-Frame-Options header (ie. with no value at all), whenever I configured the WP-Piwik plugin to use Piwik Mode: "Self-hosted (PHP API)".
This was in addition to the X-Frame-Options header that I had defined in my .htaccess file, meaning that the website was generating two X-Frame-Options headers: one empty (from Piwik) and the other with a valid value (from .htaccess).
In addition, I also saw that I was getting an empty "Pragma" header and an empty "Expires" header as well, when using PHP API.
However, if I changed the Piwik Mode to "Self-hosted (HTTP API)", then the empty X-Frame-Options header was no longer generated - and nor were the empty Pragma and Expires headers - and I was left with just the legitimate header from .htaccess.
TODAY:
Today I installed Piwik 3.0.2-b5 as requested in Issue #10167. My testing shows that the empty X-Frame-Options header no longer shows up at all, regardless of what the Piwik Mode is set to. This is good news!
However, I still have the empty Pragma and Expires showing up when Piwik Mode is set to PHP API. I have no idea why but I'd like to fix it. In addition, an extra Cache-Control header is also generated, with a value of "must-revalidate". This clashes with the Cache-Control header I have already defined in my .htaccess.
Here are the headers from my site, as generated by http://testuri.org:
Piwik Mode set to "Self-hosted (HTTP API)"
Piwik Mode set to "Self-hosted (PHP API)"
As you can see, the only difference between the two is the addition of the empty Pragma and Expires header, and the additional Cache-Control header, when using PHP API. All of the other security headers here are coming from my .htaccess.
Any ideas?
The text was updated successfully, but these errors were encountered: