Error parsing header X-XSS-Protection about plg_system_httpheader HOT 9 CLOSED

Yes and now i see why:

Fetch all HTTP request headers

The HTTP Security Headers are response headers ;)

I agree we should mention it on the docs (will add a note to the 4.x doc page as well) but i would not include special tooling. As therefor you should use the Browser Console and this is the only source of truth right? Do you agree?

from plg_system_httpheader.

Done: https://docs.joomla.org/J4.x:Http_Header_Management#Notes

from plg_system_httpheader.

Hmm agree but i don't see where i can do much about it inside joomla or a Plugin. Will merge the PR to add it to the docs thanks.

from plg_system_httpheader.

Maybe it would be possible to build in a check in the back-end of the plugin to display the headers?
https://www.php.net/manual/en/function.getallheaders.php

It might be a bit over-engineering though, as it's a one-time-only configuration and you could check them via your browser. So putting something in the documentation is enough.

from plg_system_httpheader.

Hmm seems this is not there for nginx? Can you check whether this is the case? The idea is also to keep this here in sync with the core Plugin.
Checking the header in the browser should do the trick. We might can add something to the debug Plugin. But that feels like that we would just try to reinvent the browser console in joomla.

from plg_system_httpheader.

I suppose that it's just the general browser head, not Apache only. But I could be wrong.

Keeping the J3 version in sync with J4 is another argument to just mention the possible double header issue in the documentation. :-)

from plg_system_httpheader.

This function is an alias for apache_request_headers().

Can you try whether that function fails on nginx hosts?

from plg_system_httpheader.

Yes. In a Joomla site on an Nginx server I added the following to the template:

foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n<br>";
}

and it's output:

Cookie: [removed]
Accept-Language: en,nl-NL;q=0.9,nl;q=0.8,en-GB;q=0.7,en-US;q=0.6 
Accept-Encoding: gzip, deflate, br 
Referer: [removed]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 
Dnt: 1 
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[removed] Safari/[removed]
Upgrade-Insecure-Requests: 1 
Cache-Control: max-age=0 
Host: [removed]
Content-Length: 
Content-Type: 

So, even on Nginx the getallheaders works (also apache_request_headers() works!).
Apparently it does not display any of the HTTP Security Headers.

from plg_system_httpheader.

Yes, I fully agree

from plg_system_httpheader.