Hello @jresoriaga,
Thank you for providing the headers. From what I can see, there are no Strict-Transport-Security headers present, which may indicate that the HSTS settings in the “Headers Security Advanced & HSTS WP” plugin are not enabled or are not working as they should.
Could you please check in the WordPress admin panel under “Settings > Headers Security Advanced & HSTS WP” if the following HSTS items are enabled:
- Max-Age;
- Include Subdomains;
- Preload
These settings should be enabled to ensure that the HSTS header is set correctly. If these are already enabled and the header does not appear, we may need to further investigate potential configuration conflicts or server-imposed restrictions.
I await your response with details of the settings.
Yes I already checked this, and all is enabled. But I don’t why if I scan the site with Mozilla Observatory, there’s no HSTS detected.
If it helps, the server is running a nginx.
Thank you.
Hello @jresoriaga,
After careful checking, it seems that Cloudflare is forcing the use of its own headers. This can sometimes override locally configured settings via the plugin. To resolve this issue, I kindly ask you to disable the use of Cloudflare’s basic headers.
You can do this by logging into the Cloudflare control panel and searching for security-related settings, where you should find options for HSTS headers. Be sure to disable the option that requires Cloudflare to manage HSTS so that your website can manage this setting itself through the plugin.
Let me know if you can find and change these settings or if you need further assistance.
Hello, sorry for the late response. We asked our third party partners to disable the HSTS on CloudFlare, and they disabled the HSTS but the same result it still not reading the plugin and saying that the HSTS header is not present.
-
This reply was modified 3 months, 4 weeks ago by
jresoriaga.
Any response? or update regarding this issue?
Hi @jresoriaga,
Thank you for contacting me regarding the problem you are experiencing with HTTP headers on WordPress in combination with Cloudflare. I have analyzed the situation and would like to offer some specific tips that may help you solve the problem:
Exclude Critical Resources from Cloudflare Caching:
To ensure that changes made via the plugin are respected and do not interfere with Cloudflare, I recommend using Cloudflare’s Page Rules to exclude specific resources or paths from caching. By excluding these resources from caching, you can ensure that changes made to the .htaccess file are actually applied and visible in real time.
Check the Plugin Settings:
Sometimes, unexpected problems can be solved by simply deactivating and reactivating the plugin or clearing the cache. I recommend that you check the plugin settings to make sure everything is set as desired and check any documentation to best use with Cloudflare.
We hope you find these tips helpful. If you continue to have problems or need further assistance, please do not hesitate to contact us. We are here to help you!
Sincerely
Can I add additional info regarding this. The prod don’t have an .htaccess and the server is running nginx not apache. Hope this will also help fixing the issue. Thank you for your response @andrea.
Hello @jresoriaga,
I ask you if you can contact me through the support support@tentacleplugins.com and I will help you in solving the problem with nginx
