Skip to content

Warning Message on Windows Platform #1

Description

@nyhtml

Windows PHP emits a warning when a multi‑line CSP header is sent.
Linux accepts multi‑line headers, but Windows requires one continuous line.

The current CSP header:

header("Content-Security-Policy:
    default-src 'self';
    script-src 'self' https://{$serverFQDN};
    style-src 'self' 'unsafe-inline' https://{$serverFQDN};
    img-src 'self' https://{$serverFQDN};"
);

This produces a warning on Windows because HTTP headers cannot contain literal newlines.

Convert the CSP header into a single line:

header("Content-Security-Policy: default-src 'self'; script-src 'self' https://{$serverFQDN}; style-src 'self' 'unsafe-inline' https://{$serverFQDN}; img-src 'self' https://{$serverFQDN};");

This resolves the Windows warning and behaves identically on Linux.

Recomended:

// Security & privacy headers
$nonce = bin2hex(random_bytes(12));
$policies = [
    "default-src 'self'",
    "style-src 'self' 'nonce-$nonce'",
    "script-src 'self' 'nonce-$nonce' sipylus.com www.sipylus.com static.statcounter.com secure.statcounter.com www.statcounter.com c.statcounter.com",
    "img-src 'self' data: sipylus.com www.sipylus.com c.statcounter.com secure.statcounter.com www.statcounter.com sipylus.montastic.io",
    "font-src 'self'",
    "connect-src 'self'",
    "frame-ancestors 'none'",
    "base-uri 'none'",
	"form-action 'self'",
    "object-src 'none'",
    "require-trusted-types-for 'script'",
    "upgrade-insecure-requests"
];

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingenhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions