httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Houser, Rick" <>
Subject HSTS Header Duplication
Date Thu, 13 Aug 2015 20:28:40 GMT
Some time back, I turned on HSTS for our sites with something like this:

Header always set Strict-Transport-Security "max-age=#######"

As near as I could tell, everything was working correctly (2.4.12 presently - will be on 2.4.16
shortly).  However, one of our development teams recently added a similar HSTS directive into
a backend application (which happens to be accessed via mod_cluster).  Now, browsers are seeing
two different copies of this header on the response (first my values, then the backend values
I intended to override).  I've verified that direct backend application connections only return
one copy of that header.

I went back and took a closer look at that various documentation/tutorials scattered around
the web for implementing HSTS, and it all seems to indicate "Header always set" for this purpose.
 I also read the mod_headers documentation several times, but I don't see anything that provides
clarity in this case

Based on our observations, I suspect that we are looking at a bug of some kind here: either
a traditional error in the code or a necessary documentation fix.  Would someone please confirm
how "Header always set" feature is intended to function (specifically in the presence of an
existing header) so I know which direction to research and ultimately submit a patch?

Thank you,

Rick Houser

View raw message