Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Empty HTTP headers added with PHP API mode #11391

Closed
GermanKiwi opened this issue Feb 21, 2017 · 1 comment
Closed

Empty HTTP headers added with PHP API mode #11391

GermanKiwi opened this issue Feb 21, 2017 · 1 comment
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@GermanKiwi
Copy link

GermanKiwi commented Feb 21, 2017

This issue relates to the discussion at #10167.

BACKGROUND:

I'm running WordPress 4.7.1 with the WP-Piwik plugin and a self-hosted Piwik installation on the same server.

While I was running Piwik 3.0.1 previously, I noticed that my website - not the Piwik page but the actual WordPress website - was getting an empty X-Frame-Options header (ie. with no value at all), whenever I configured the WP-Piwik plugin to use Piwik Mode: "Self-hosted (PHP API)".

This was in addition to the X-Frame-Options header that I had defined in my .htaccess file, meaning that the website was generating two X-Frame-Options headers: one empty (from Piwik) and the other with a valid value (from .htaccess).

In addition, I also saw that I was getting an empty "Pragma" header and an empty "Expires" header as well, when using PHP API.

However, if I changed the Piwik Mode to "Self-hosted (HTTP API)", then the empty X-Frame-Options header was no longer generated - and nor were the empty Pragma and Expires headers - and I was left with just the legitimate header from .htaccess.

TODAY:

Today I installed Piwik 3.0.2-b5 as requested in Issue #10167. My testing shows that the empty X-Frame-Options header no longer shows up at all, regardless of what the Piwik Mode is set to. This is good news!

However, I still have the empty Pragma and Expires showing up when Piwik Mode is set to PHP API. I have no idea why but I'd like to fix it. In addition, an extra Cache-Control header is also generated, with a value of "must-revalidate". This clashes with the Cache-Control header I have already defined in my .htaccess.

Here are the headers from my site, as generated by http://testuri.org:

Piwik Mode set to "Self-hosted (HTTP API)"

Status: HTTP/1.1 200 OK
Date: Tue, 21 Feb 2017 20:49:45 GMT
Server: Apache/2.4.20
Link: ; rel="https://api.w.org/", ; rel=shortlink
Set-Cookie: wfvt_-1772889948=58aca7eaaa9f0; expires=Tue, 21-Feb-2017 21:19:46 GMT; Max-Age=1800; path=/; HttpOnly
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Content-Security-Policy: default-src https: data: 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.fontawesome.com
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubdomains
Referrer-Policy: no-referrer-when-downgrade
Connection: keep-alive, close
Cache-Control: max-age=86400, private
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Piwik Mode set to "Self-hosted (PHP API)"

Status: HTTP/1.1 200 OK
Date: Tue, 21 Feb 2017 20:54:12 GMT
Server: Apache/2.4.20
Link: ; rel="https://api.w.org/", ; rel=shortlink
Pragma: 
Expires: 
Cache-Control: must-revalidate
Set-Cookie: wfvt_-1772889948=58aca8f57ab44; expires=Tue, 21-Feb-2017 21:24:13 GMT; Max-Age=1800; path=/; HttpOnly
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Content-Security-Policy: default-src https: data: 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.fontawesome.com
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubdomains
Referrer-Policy: no-referrer-when-downgrade
Connection: keep-alive, close
Cache-Control: max-age=86400, private
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

As you can see, the only difference between the two is the addition of the empty Pragma and Expires header, and the additional Cache-Control header, when using PHP API. All of the other security headers here are coming from my .htaccess.

Any ideas?

@mattab
Copy link
Member

mattab commented Mar 21, 2017

Sorry no idea about this. I would maybe ask in the WP-Piwik forum instead since it seems to be a request from Wordpress itself

@mattab mattab closed this as completed Mar 21, 2017
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Mar 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

2 participants