PHP response headers, like Content-Security-Policy
-
Hi,
thank you for this great plugin, I think it’s the best of its kind. However, there’s one thing that makes some headache which I’m wondering how to resolve. The below situation is just an example to demonstrate it.
Most of my response headers are sent from my site’s Nginx config, but the Content-Security-Policy header is special because it’s built by WordPress based on user preferences and its value may change any time. So the problem is that these PHP-generated response headers (like CSP) are not stored in the cache, so they are not sent with the response. It’s not a bug, it’s something that is not implemented yet in this plugin.
Sure, I’m aware that the CSP header can be set in HTML’s
<head>
in a<meta>
tag, but it has some limitations and it downgrades the site’s security index on webpagetest.org because the preferred way is the response header method. And this problem is true for any type of header.So I’m here to ask if there’s any plan to implement storing the response headers in the cache too? If not, at least a new hook action would help a lot which fires before sending out the cached content.
Thank you!
- The topic ‘PHP response headers, like Content-Security-Policy’ is closed to new replies.