Support

Admin Tools

#37690 Double response headers?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.2.2
PHP version
8.0
Admin Tools version
7.1.10

Latest post by nicholas on Wednesday, 07 September 2022 01:06 CDT

Tuesday, 06 September 2022 07:29 CDT

jjst135

Hi! When I set the Referrer Policy header tot 'strict-origin' on this site, I get these these response headers (amongst others) on the webiste:

referrer-policy: strict-origin-when-cross-origin
referrer-policy: strict-origin

x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN

I am not expert at this at all, but does this seam right? 
Can there be two referer-policies in one htaccess?

And also: two identical x-frame-options rules?

Are these repsonse headerr only added by the htaccess file on our server or are there also other settings on the server that can (do) set these headers?

Kind regards,
Jip

Tuesday, 06 September 2022 07:49 CDT

nicholas

If you have enabled Joomla's HTTP Headers system plugin AND using the .htaccess Maker you MAY end up with double headers, depending on your Apache version and configuration.

The X-Frame-Options header comes from the “Protect against clickjacking” feature. It's set to always append that header. We can change that to always set to prevent that issue with Joomla's system plugin.

However, for the Referrer-Policy header we use "always set" which is supposed to replace any existing headers, see https://httpd.apache.org/docs/current/mod/mod_headers.html#header.

This tells me that something else on or in front of your site is trying to append headers.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 06 September 2022 08:39 CDT

jjst135

Ah, I completely missed the system HTTP Headers plugin. I will have a look at that. Do you suggest we just disable that plugin and use the htaccess created by Admin Tools?

Tuesday, 06 September 2022 08:50 CDT

jjst135

I think your answer will be:

"Since you are already using .htaccess Maker which sets up these headers you must not use Joomla's plugin. Using the .htaccess method is better because the headers are sent more consistently for all requests, not just the HTML document requests Joomla itself handles."

https://www.akeeba.com/support/admin-tools/36181:joomla-4-http-header-plugin.html

 

 

 

 

Wednesday, 07 September 2022 01:06 CDT

nicholas

You guessed correctly :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!