BackWPUp – Missing or not expected HTTP response headers

Home Forums BulletProof Security Free BackWPUp – Missing or not expected HTTP response headers

This topic contains 1 reply, has 2 voices, and was last updated by  Nitin 1 year, 3 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #28274

    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    The problem (see errors below) is caused by a HEAD Request being made by BackWPUp and BPS is blocking that HEAD Request made by BackWPUp.

    Solution:
    Depending on your web host the BPS Root htaccess file Request Methods Filtered code will be either one of the example code blocks below. Either block of code does the exact same thing and the whitelisting method to allow HEAD Requests is exactly the same:

    1.  Go to the BPS htaccess File Editor tab page > click “Your Current Root htaccess File” tab > Copy the REQUEST METHODS FILTERED htaccess code from your BPS root htaccess file.
    2.  Go to BPS Root Custom Code and paste your REQUEST METHODS FILTERED htaccess code that you copied to this BPS Root Custom Code text box:  CUSTOM CODE REQUEST METHODS FILTERED.
    3.  Comment out the last 2 lines of either block of code (examples shown below) with a # sign as shown below.
    4.  Click the Save Root Custom Code button.
    5. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy 
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    Or you may see this REQUEST METHODS FILTERED code:

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    BackWPUp error:

    Missing or not expected HTTP response headers:
    date: Mon, 22 Feb 2016 22:20:11 GMT
    server: Apache/2.4.9 (Win32) OpenSSL/1.0.1g
    x-frame-options: SAMEORIGIN
    set-cookie: PHPSESSID=p8pmpaiu57ng2o8fb9fg3ga7b4; path=/
    expires: Sat, 26 Jul 1997 05:00:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    status: 405 Method Not Allowed
    allow: GET, POST, PUT
    x-content-type-options: nosniff
    connection: close
    content-type: text/html; charset=UTF-8

    BPS Security Log error entry:

    [405 HEAD Request: February 22, 2016 - 2:20 pm]
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 127.0.0.1
    Host Name: xxxx-HP
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER:
    REQUEST_URI: /wp-cron.php?_nonce=3038975b94&doing_wp_cron=1456179611.6969730854034423828125&backwpup_run=test
    QUERY_STRING: _nonce=3038975b94&doing_wp_cron=1456179611.6969730854034423828125&backwpup_run=test
    HTTP_USER_AGENT: BackWPup/3.2.4; WordPress/4.4.2; http://demo5.local
    #32361

    Nitin
    Participant

    Server Headers Tool lists out all the Response Headers: https://1nine.com/Web/ServerHeaders sent by the web server including cookies being set.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.