PHP response headers, like Content-Security-Policy

  • coderars

    (@coderars)


    3 years, 7 months ago

    Hi,

    thank you for this great plugin, I think it’s the best of its kind. However, there’s one thing that makes some headache which I’m wondering how to resolve. The below situation is just an example to demonstrate it.

    Most of my response headers are sent from my site’s Nginx config, but the Content-Security-Policy header is special because it’s built by WordPress based on user preferences and its value may change any time. So the problem is that these PHP-generated response headers (like CSP) are not stored in the cache, so they are not sent with the response. It’s not a bug, it’s something that is not implemented yet in this plugin.

    Sure, I’m aware that the CSP header can be set in HTML’s <head> in a <meta> tag, but it has some limitations and it downgrades the site’s security index on webpagetest.org because the preferred way is the response header method. And this problem is true for any type of header.

    So I’m here to ask if there’s any plan to implement storing the response headers in the cache too? If not, at least a new hook action would help a lot which fires before sending out the cached content.

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Anonymous User 16850768

    (@anonymized-16850768)

    3 years, 7 months ago

    You’re welcome! We’re really happy to hear that.

    To learn more about your feature request, can you please let me know why the Content-Security-Policy response header can’t also be set in your server configuration file based on your required specifications?

    Storing the response headers is not currently on our roadmap but we welcome any feature request. As you may already know, the advanced-cache.php file handles the cache delivery. This file is included much earlier than when any hooks would be registered. As far as I’m aware there isn’t a way to register hooks before this takes place.

    Thread Starter coderars

    (@coderars)

    3 years, 7 months ago

    Sorry, I wasn’t aware of some important things. Now I understand, so my real problem is that the logic behind the GDPR cookie consent plugin I use is to generate custom CSP headers for every visitor based on his chosen cookie consent settings to allow/block linked resources (js/css/etc). E.g. if the visitor disallows marketing cookies then those javascript resources won’t be allowed in his custom CSP header so they will be blocked.

    Because it’s totally dynamic, there’s no way to store it in the cache. As for the feature request, the only solution I can imagine is adding some check in advanced-cache.php which looks for a (pre/user)defined php file, and if it exists, it runs that before sending out the cached page. In that file, I could generate and send the CSP header or do whatever customizations. But it’s just a sudden idea…

    Anonymous User 16850768

    (@anonymized-16850768)

    3 years, 7 months ago

    Thank you @coderars for the clarification. We do sincerely appreciate your feedback. I’ve added your request to our list.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PHP response headers, like Content-Security-Policy’ is closed to new replies.