Missing cache directives and https security headers

Website, Application, Performance
1

What is the name of the domain?

What is the error number?

none

What is the error message?

none

What is the issue you’re encountering

The cache directives from WP Fastest Cache are missing completely as are the HSTS and NoSniff HTTPS headers from Cloudflare. I have checked with the WPFC dev and all is well with the plugin. When I purge Cloudflare cache, or pause it, the issue disappears. I’m seeing this issue on multiple sites. I can’t find a setting in Cloudflare that is different between a site with this issue and a site that does not have this issue. What has changed in the security or cache settings that would cause this?

What steps have you taken to resolve the issue?

purged Cloudflare cache

What are the steps to reproduce the issue?

none

2

This issue is now costing money.

The lack of the HSTS settings is knocking sites out of the Chrome Preload Safe Site list. And the lack of caching is slowing sites to the point of noticeable drop-off from visitors and sales.

How can we get attention on this problem to fix whatever change Cloudflare made?

3

Hey, this is happening on my website too!! When will you fix it?

4

I’m standing in this line as well - Please fix this ASAP!

5

I’m also affected. When can we expect a fix?

6

I am having this issue also. Please fix this ASAP and keep us updated on changes!

7

This is affecting my site as well and costing me money in lost traffic.
Where were these changes posted, as it would have been nice to know about it sooner

8

This issue is affecting my site too, and it is costing me money! I can’t see anywhere that you posted about these changes, can you tell me where this is? it’s not acceptable to make these changes that damage my site without notice and no way to fix it.

9

This is also the problem with my website.
Please solve the issue and bring back the correct integration with WP Fastest cache, as well as the two security headers my site is missing now.

Making changes without letting your users know is a bad practise these days.

Please solve this!

10

8 people all diligently reporting the same issue in the same thread? Not a single thread other than this one describing the issue. Yeah…. something is clearly sus.

How does one suppose that statistical anomaly occurred?

If all of you are using the same tool and reporting the same problem how is it none of you have server logs to demonstrate that the headers are being passed to Cloudflare? Or any diagnostic logs at all.

1 Like
11

I asked all of my clients and the webmasters I teach who manage their client sites to check their headers and to report here if they saw a problem. I fully expect there to be more folks reporting in as they get to those checks this week.

It’s super easy to for anyone who wants to check the headers to do so with any header check tool. Not sure why server logs are required

12

@accounts16 the sites are proxied. So while it’s possible to verify the headers aren’t being presented by Cloudflare, there’s no evidence the headers are being sent by the origin server when a request is processed by the origin server.

The headers for the site return cf-cache-status: DYNAMIC so the content isn’t being cached on Cloudflare’s cache. So an example where that is being returned after a Cloudflare cache purge would also be instructive.

This is a community forum so participants here can only test what they can glean from public information. It’s impossible (for example) for us to test against the origin server directly without knowing the origin server’s IP address.

13

The first person I contacted was my hosting and all is good there. Then I contacted the dev of the caching plugin since those cache directives were being knocked out, all good there, and he confirmed that purging Cloudflare caching gave it a temporary reprieve.

Not sure how to explain that the HSTS and NoSniff directives are not being delivered, as they are directly from Cloudflare other than it being an issue at Cloudflare itself.

14

This is happening on my sites as well as numerous of the people I support.

It is imperative for this to be resolved as it is costing time, money, and peace of mind.

15

Well since you didn’t provide any logs I’m simply confused… because as you can see at the time when I asked for clarification your website was returning the headers you claim Cloudflare isn’t returning. And for the others posting who don’t mention their domain, I’ll have to assume your sites are working just fine as well. If not, open a support ticket.

❯ curl -Ikv https://ecreatorshub.com/
* Host ecreatorshub.com:443 was resolved.
* IPv6: (none)
* IPv4: 104.21.11.2, 172.67.164.221
*   Trying 104.21.11.2:443...
* Connected to ecreatorshub.com (104.21.11.2) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=ecreatorshub.com
*  start date: Apr  7 13:04:17 2025 GMT
*  expire date: Jul  6 14:01:33 2025 GMT
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://ecreatorshub.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ecreatorshub.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: ecreatorshub.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
HTTP/2 200
< date: Sun, 13 Apr 2025 21:32:43 GMT
date: Sun, 13 Apr 2025 21:32:43 GMT
< content-type: text/html
content-type: text/html
< cache-control: max-age=0, no-cache, no-store, must-revalidate
cache-control: max-age=0, no-cache, no-store, must-revalidate
< expires: Mon, 29 Oct 1923 20:30:00 GMT
expires: Mon, 29 Oct 1923 20:30:00 GMT
< last-modified: Mon, 07 Apr 2025 16:04:24 GMT
last-modified: Mon, 07 Apr 2025 16:04:24 GMT
< vary: Accept-Encoding,User-Agent
vary: Accept-Encoding,User-Agent
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< referrer-policy: no-referrer-when-downgrade
referrer-policy: no-referrer-when-downgrade
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-security-policy: block-all-mixed-content
content-security-policy: block-all-mixed-content
< pragma: no-cache
pragma: no-cache
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400
< x-turbo-charged-by: LiteSpeed
x-turbo-charged-by: LiteSpeed
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z3ftBV7i0qL24updUIEioajqvhidYY8fFfojT1GkjADIQDuaRaygZDkSRXTo75zvrKnxhZ%2BT0RdynlMJBwK7Bw1MDCHimA1Jc8ZZHIKZjl6yTK9zept1guSV9sK2ROaRS3vd"}],"group":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z3ftBV7i0qL24updUIEioajqvhidYY8fFfojT1GkjADIQDuaRaygZDkSRXTo75zvrKnxhZ%2BT0RdynlMJBwK7Bw1MDCHimA1Jc8ZZHIKZjl6yTK9zept1guSV9sK2ROaRS3vd"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
x-content-type-options: nosniff
< server: cloudflare
server: cloudflare
< cf-ray: 92fe13e3ad81d826-EWR
cf-ray: 92fe13e3ad81d826-EWR
< server-timing: cfL4;desc="?proto=TCP&rtt=24151&min_rtt=20357&rtt_var=6515&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2925&recv_bytes=574&delivery_rate=129158&cwnd=242&unsent_bytes=0&cid=d11c5b417c29be8a&ts=170&x=0"
server-timing: cfL4;desc="?proto=TCP&rtt=24151&min_rtt=20357&rtt_var=6515&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2925&recv_bytes=574&delivery_rate=129158&cwnd=242&unsent_bytes=0&cid=d11c5b417c29be8a&ts=170&x=0"
<

* Connection #0 to host ecreatorshub.com left intact
16

… and here are those same headers from Friday when you posted originally.

curl -Ikv https://ecreatorshub.com/
* Host ecreatorshub.com:443 was resolved.
* IPv6: (none)
* IPv4: 104.21.11.2, 172.67.164.221
*   Trying 104.21.11.2:443...
* Connected to ecreatorshub.com (104.21.11.2) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=ecreatorshub.com
*  start date: Apr  7 13:04:17 2025 GMT
*  expire date: Jul  6 14:01:33 2025 GMT
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://ecreatorshub.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ecreatorshub.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: ecreatorshub.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
HTTP/2 200
< date: Fri, 11 Apr 2025 23:35:51 GMT
date: Fri, 11 Apr 2025 23:35:51 GMT
< content-type: text/html
content-type: text/html
< cache-control: max-age=0, no-cache, no-store, must-revalidate
cache-control: max-age=0, no-cache, no-store, must-revalidate
< expires: Mon, 29 Oct 1923 20:30:00 GMT
expires: Mon, 29 Oct 1923 20:30:00 GMT
< last-modified: Mon, 07 Apr 2025 16:04:24 GMT
last-modified: Mon, 07 Apr 2025 16:04:24 GMT
< vary: Accept-Encoding,User-Agent
vary: Accept-Encoding,User-Agent
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< referrer-policy: no-referrer-when-downgrade
referrer-policy: no-referrer-when-downgrade
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-security-policy: block-all-mixed-content
content-security-policy: block-all-mixed-content
< pragma: no-cache
pragma: no-cache
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400
< x-turbo-charged-by: LiteSpeed
x-turbo-charged-by: LiteSpeed
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2B5VqW5sIs6GTBeURlvfkYOw6Tc12oBJCh%2BMi75Znrt0ipVViWcx9FquvU0zr15hcWek6sCiffEsaaMqWCAa%2BKAw4h4ScZuz1hVhEr31fyOMshmfN3%2FVQ1iTiA3wU8Q54Ljv"}],"group":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2B5VqW5sIs6GTBeURlvfkYOw6Tc12oBJCh%2BMi75Znrt0ipVViWcx9FquvU0zr15hcWek6sCiffEsaaMqWCAa%2BKAw4h4ScZuz1hVhEr31fyOMshmfN3%2FVQ1iTiA3wU8Q54Ljv"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
x-content-type-options: nosniff
< server: cloudflare
server: cloudflare
< cf-ray: 92ee4d7f380943b8-EWR
cf-ray: 92ee4d7f380943b8-EWR
< server-timing: cfL4;desc="?proto=TCP&rtt=24444&min_rtt=23228&rtt_var=8475&sent=6&recv=10&lost=0&retrans=0&sent_bytes=2903&recv_bytes=574&delivery_rate=87155&cwnd=221&unsent_bytes=0&cid=ddd3a94c41fde0f0&ts=159&x=0"
server-timing: cfL4;desc="?proto=TCP&rtt=24444&min_rtt=23228&rtt_var=8475&sent=6&recv=10&lost=0&retrans=0&sent_bytes=2903&recv_bytes=574&delivery_rate=87155&cwnd=221&unsent_bytes=0&cid=ddd3a94c41fde0f0&ts=159&x=0"
<

* Connection #0 to host ecreatorshub.com left intact
17

I tested 18 sites and several of them were also verified by the host, the caching plugin dev, and a header tester as not providing the caching directives and 2 HTTPS headers. All of us are in different Cloudflare mirrored regions. I also tested sites that were on the same WHM account and only the ones that had the free Cloudflare plan had this issue. Pro plan sites did not, and neither did any of my clients on the Pro plan that I tested.

I’m glad it was working for you on the day I posted. It was not for us. And not working for all the other folks who tested and posted here either. Several of those sites have been knocked off the Chrome preload safe site list due to lack of HSTS header.

I have retested some of the sites today and all of the caching directives and HTTPS headers are present. So hopefully the issue has been fixed. Now we have to resubmit sites to Chrome’s HSTS list.

I have no idea why you decided to be so belligerent with your replies, none of which were helpful. If you don’t want to believe all of the verification of this issue from multiple sources, including Chrome’s HSTS check, that’s your problem. You’ve been nothing more than a bully.

18

I’m simply confused.

I did as you suggested and the header check tool doesn’t show a problem. Do you now understand why logs were requested?

You’ve mixed both headers specified in Cloudflare settings (which are being returned in my testing) and a tool you specify is WP Fastest Cache which is presumably a tool which runs on your origin. The headers being returned by your origin aren’t something that can be tested by an outside observer without connecting to your origin server directly.

I apologize that attempting to gather additional information to answer your technical question has upset you.

1 Like
19

I used this HTTP header checker HTTP Headers Test by WebSitePulse
I used this tester for the HTTPS headers https://securityheaders.com/
I also looked at the source code of the page.

The host and the plugin dev used their own methods, including the server logs.

So no, I don’t get why you needed one specific thing when multiple other testing methods were available. And I don’t get why you accused everybody in this thread as sus for simply reporting to show that the issue was not just with one site.

You didn’t upset me. You wasted my time and did nothing to contribute to getting this fixed.

1 Like
20

Hi folks,

Just a reminder that our MVPs are volunteer community members and not Cloudflare staff. They cannot directly do anything to resolve your issue but help can help to provide advice or make sure the all the details are there for escalation to the Cloudflare team if necessary.

In this case, I currently understand that there is exactly one URL, https://ecreatorshub.com is “missing cache directives and https security headers”.

Could you please specify what headers, and values, you are expecting to be set, and whether they are set by your origin server or by some setting you have in Cloudflare?

If they are set by your origin server, and you are not seeing them, then we need to understand under what conditions these headers are set in order to know what, if anything, may have changed.

If they are set by some setting you have in Cloudflare, such as a Transform Rule, then screenshots or similar of those settings can help.

There’s currently not enough information to confidently understand what the problem is.

2 Likes