httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoltán Halassy <>
Subject [users@httpd] Header with "always" condition doesn't always work
Date Thu, 01 Oct 2015 11:22:36 GMT

Using Apache 2.4.16, with OpenSSL 1.0.2d, with alpn support, but
*without* http/2. Today I configured a VirtualHost with GitLab (with
ProxyPassReverse and RewriteRule [P,QSA] rules). I used to configure
Strict-Transport-Security in VirtualHost context nowadays, and I
noticed two STS headers arrived to the browser. I have this line:

Header always set Strict-Transport-Security max-age=31556952

However, GitLab also sets this header, so I got two. I don't get it.
The documentation describes this:

"set: The response header is set, *replacing any previous header* with
this name."

Replacing didn't happen. I tried then "Header always unset
Strict-Transport-Security", it didn't do anything.

Strangely enough, if I *remove* the always keyword, Header
removal/replacement starts working, f.e.

Header unset Strict-Transport-Security
Header always set Strict-Transport-Security max-age=31556952

works. I guess this is a bug. Would someone look into it?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message