Critical Error with Headers Security Plugin

What issue or error are you experiencing?

The “Headers Security Advanced & HSTS WP” plugin generates a critical error in both the backend and frontend.
Deactivating the plugin resolves the issue.
An investigation is underway to determine the exact cause of the error. It is noteworthy that this issue has not been observed on XAMPP, another popular local server solution, nor on multiple hosting platforms. This suggests that localwp is likely the culprit, potentially due to a misconfiguration of PHP or other factors.
Issue observed on a freshly installed WordPress 6.5.2 without any other plugins.

What steps can be taken to replicate the issue? Feel free to include screenshots, videos, etc

Page Backend view

Untitled315×832 17 KB

Front-end preview

Untitled1319×835 32.6 KB

System Details

• Local Version:
  Version 9.0.2+6676
• Operating System (OS) and OS version:
  W11 23H2

Local Logs

Attach your Local Logs here (Help Doc - Retrieving Local’s Log)
local-logs.zip (11.7 KB)

Security Reminder
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.

Hi @wpdistrib

What is the critical error that’s being thrown? Have you shared that with the plugin developers or their forums to see if there is any insight there?

Is there any difference in behavior if the site is in Localhost or Site Domains Router Mode, or if the SSL is Trusted?

Hi,
Yes, I’ve also submitted a ticket on wordpress.org to the extension developer, but haven’t received a response yet.

However, after testing this extension numerous times on servers or locally with XAMPP, I’ve never encountered this bug, suggesting there might be an incompatibility with LocalWP locally. I haven’t tested the deployment feature under LocalWP, so I’m unsure if the issue would be resolved. It appears that the WordPress admin bar no longer displays correctly (only text, without CSS formatting) when viewing the frontend, and the same issue occurs when accessing the page menu in the backend.

For your information, I recently discovered LocalWP through the keyword “blueprint” and tested it with my own blueprint (wpdistrib v6.5), where I encountered this bug.
This extension, “Headers Security Advanced & HSTS WP,” is essential as it enhances security for the test: “Analyse your HTTP response headers (securityheaders.com).”

I hope you find a solution. Apart from this, I’ve greatly enjoyed using LocalWP, which is much faster than XAMPP. Additionally, I’m impressed by the blueprint feature of LocalWP. Keep up the good work!

Hi @wpdistrib

Thank you for the followup!

Can you share the critical error you receive?

Also when you’re viewing the site like in your original screenshot above, if you open up the dev console are there any errors in there?

Is there any difference in behavior if the site is in Localhost or Site Domains Router Mode, or if the SSL is Trusted?

This same site migrated to a server with a domain name works fine in SSL. I haven’t tested the online version of Local Sites.

dev console: before activating the Headers Security Advanced & HSTS WP plugin.

JQMIGRATE: Migrate is installed, version 3.4.1

content_page.js:2506 Bartender API access denied.

test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.

test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.

test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.

test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.

After activating the plugin.

GET https://test.local/wp-includes/css/dashicons.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID
test.local/:32

   GET https://test.local/wp-includes/css/admin-bar.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:52

   GET https://test.local/wp-includes/blocks/navigation/style.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:53

   GET https://test.local/wp-content/plugins/twentig/dist/blocks/navigation/style.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:93

   GET https://test.local/wp-includes/blocks/button/style.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:106

   GET https://test.local/wp-includes/blocks/image/style.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:285

   GET https://test.local/wp-includes/blocks/navigation/view.min.js?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:163

   GET https://test.local/wp-content/plugins/twentig/dist/blocks/post-template/style.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:181

   GET https://test.local/wp-content/plugins/query-monitor/assets/query-monitor.css?ver=3.16.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:196

   GET https://test.local/wp-includes/css/dist/block-library/common.min.css?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:197

   GET https://test.local/wp-content/plugins/twentig/dist/blocks/common.css?ver=cf1e1326bd150e5e0838 net::ERR_CERT_AUTHORITY_INVALID

test.local/:263

   GET https://test.local/wp-content/plugins/wp-optimize/css/wp-optimize-global-3-3-2.min.css?ver=3.3.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:286

   GET https://test.local/wp-includes/js/dist/interactivity.min.js?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:264

   GET https://test.local/wp-content/plugins/seo-by-rank-math/assets/front/css/rank-math.css?ver=1.0.218 net::ERR_CERT_AUTHORITY_INVALID

test.local/:265

   GET https://test.local/wp-content/plugins/twentig/dist/blocks/tw-spacing-default.css?ver=1.8.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:269

   GET https://test.local/wp-includes/js/jquery/jquery.min.js?ver=3.7.1 net::ERR_CERT_AUTHORITY_INVALID

test.local/:270

   GET https://test.local/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1 net::ERR_CERT_AUTHORITY_INVALID

test.local/:275

   GET https://test.local/wp-content/plugins/query-monitor/assets/query-monitor.js?ver=3.16.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:303

   GET https://test.local/wp-content/uploads/2024/01/wp-distrib-mini-footer-logo.png net::ERR_CERT_AUTHORITY_INVALID

test.local/:396

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/images/building-exterior.webp net::ERR_CERT_AUTHORITY_INVALID

test.local/:567

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/images/tourist-and-building.webp net::ERR_CERT_AUTHORITY_INVALID

test.local/:585

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/images/windows.webp net::ERR_CERT_AUTHORITY_INVALID

test.local/:830

   GET https://test.local/wp-includes/js/hoverintent-js.min.js?ver=2.2.1 net::ERR_CERT_AUTHORITY_INVALID

test.local/:831

   GET https://test.local/wp-includes/js/admin-bar.min.js?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:873

   GET https://test.local/wp-content/plugins/seo-by-rank-math/assets/front/js/rank-math.js?ver=1.0.218 net::ERR_CERT_AUTHORITY_INVALID

test.local/:830

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_slnt,wght.woff2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:830

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_400.woff2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:830

   GET https://test.local/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_italic_400.woff2 net::ERR_CERT_AUTHORITY_INVALID

test.local/:303

   GET https://test.local/wp-content/uploads/2024/02/wpdistrib-wordpress-admin-mode-icon-150x150.png net::ERR_CERT_AUTHORITY_INVALID

test.local/:311

   GET https://test.local/wp-content/uploads/2024/01/wpdistrib-logo-white-gradient-background.png net::ERR_CERT_AUTHORITY_INVALID

(index):29

   GET https://test.local/wp-includes/js/wp-emoji-release.min.js?ver=6.5.2 net::ERR_CERT_AUTHORITY_INVALID

t @ (index):29
(anonymous) @ (index):29
Promise.then (async)
(anonymous) @ (index):29
(anonymous) @ (index):29
(index):1108 QM error from page: undefined QM_i18n
(anonymous) @ (index):1108
load (async)
(anonymous) @ (index):1098
(index):1116 A JavaScript problem on the page is preventing Query Monitor from working correctly. jQuery may have been blocked from loading.
(anonymous) @ (index):1116
load (async)
(anonymous) @ (index):1098
(index):1120 QM error from page: undefined jQuery
(anonymous) @ (index):1120
load (async)
(anonymous) @ (index):1098
/wp-content/uploads/2024/01/wp-distrib-mini-footer-logo.png:1

   GET https://test.local/wp-content/uploads/2024/01/wp-distrib-mini-footer-logo.png net::ERR_CERT_AUTHORITY_INVALID

content_page.js:2506 Bartender API access denied.
SerpResultsMetrics.handleError @ content_page.js:2506
SerpResultsMetrics.receive @ content_page.js:2456
(anonymous) @ content_page.js:2299
Show 3 more frames
Show less
/wp-content/uploads/2024/01/wp-distrib-mini-footer-logo.png:1

   GET https://test.local/wp-content/uploads/2024/01/wp-distrib-mini-footer-logo.png net::ERR_CERT_AUTHORITY_INVALID

test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.
test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.
test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.
test.local/:1 Third-party cookie will be blocked. Learn more in the Issues tab.

This part mentioned repeatedly seems to indicate an issue with the certificate.

Do you have your Local SSL trusted?

I’ll leave this here if you want to look through some other SSL in Local troubleshooting as well:

Thank you so much for your feedback. I enabled Trust, then forced it locally with https:// before ‘test.local’. And indeed, no more plugin issues. So, I’ll try to develop my next versions of my WordPress distribution WPDistrib on your LocalWP instead of Xampp. I love the blueprint spirit of localwp. Keep up the great work. Ethan.

Glad to hear it @wpdistrib! Thank you for following up and letting us know.

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.