Hi,
First of all, great plugin — it's helped me achieve an A+ score on securityheaders.com which I'm really happy with.
I've run into one issue I can't resolve through the plugin settings. The plugin is automatically setting this header:
x-content-security-policy: default-src 'self'; img-src *; media-src * data:;
This is causing Facebook's crawler (facebookexternalhit) to report a 403 error in the Facebook Sharing Debugger, which breaks Open Graph previews when pages are shared on Facebook. I confirmed this is the plugin causing the issue by temporarily deactivating it, which resolved the Facebook crawler error immediately.
I've looked through all the plugin settings and there's no way to disable or modify the X-Content-Security-Policy header specifically. The 'Resolve duplicate site headers (beta)' section has checkboxes for Strict-Transport-Security, Permissions-Policy, X-Content-Type-Options, and X-Frame-Options — but nothing for X-Content-Security-Policy.
Since X-Content-Security-Policy is an obsolete header (it was only relevant for IE10/IE11) and modern browsers use Content-Security-Policy instead, I don't need it and would like to be able to disable it.
Could you either:
- Add a 'Disable (X-Content-Security-Policy)' checkbox to the Resolve duplicate site headers section, or
- Let me know if there's an existing workaround I've missed
Running plugin version 6.9.4 on WordPress 6.8. Thanks in advance!
