Hotlink protection disables Expire headers

[Mike99]

TITLE:

Hotlink protection disables Expire headers​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk Onyx , Version 17.8.11 Update #35, last updated on Dec 18, 2018 01:06 PM, ‪Ubuntu 16.04.5 LTS‬​

PROBLEM DESCRIPTION:

When enabled Hotlink protection (can be reverted) in WordPress (extension) > Security Status, Expire headers like cache-control:max-age=31536000, public disappear from headers. If disabled Hotlink protection, they appear again.

This happens in both Nginx only hosting and with Nginx proxying Apache.

Not only​

STEPS TO REPRODUCE:

When enabled Hotlink protection (can be reverted) in WordPress (extension) > Security Status, Expire headers like cache-control:max-age=31536000, public disappear from headers. If disabled Hotlink protection, they appear again.

Additional Nginx directive: (the last line is optional does not work with or without)

location ~* .(js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|svg|mp4|m4v)$ {
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=31536000, public";
add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"";
}​

ACTUAL RESULT:

curl -I -c - https://www.example.com/wp-content/uploads/example.png -k
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Dec 2018 16:11:23 GMT
Content-Type: image/png
Content-Length: 13335
Last-Modified: Tue, 18 Dec 2018 23:54:15 GMT
Connection: keep-alive
ETag: "5c1988a7-3417"
Accept-Ranges: bytes​

EXPECTED RESULT:

curl -I -c - https://www.example.com/wp-content/uploads/example.png -k
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Dec 2018 16:11:23 GMT
Content-Type: image/png
Content-Length: 13335
Last-Modified: Tue, 18 Dec 2018 23:54:15 GMT
Connection: keep-alive
ETag: "5c1988a7-3417"
Pragma: public
Cache-Control: max-age=31536000, public
Link: <https://www.example.com/wp-content/uploads/example.png>; rel="canonical"
Accept-Ranges: bytes​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

Thank you. The issue EXTWPTOOLK-2321 has been submitted.

 

[Mike99]

WP Toolkit Version: 3.6.1-1603

Hi Plesk team, I just read that new WP Toolkit fix from 21 February should have fixed this issue, Hotlink Protection And Expire Headers: Hotlink Protection security measure no longer disables Expire headers. (EXTWPTOOLK-2321), but the problem still remains the same. I tried to uninstall WP Toolkit extension and install it back again, this did not help and even broke all my previous settings. The same operating system as above.

 

[custer]

Hi Mike,

We had to temporarily disable all WPT 3.6 functionality (including bugfixes) to quickly address several critical issues. We're planning to release WPT 3.6.2 tomorrow, which should enable everything again, including the bugfixes you're waiting for. Sorry to keep you waiting!