You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Houser, Rick" <ri...@jackson.com> on 2015/08/13 22:28:40 UTC

HSTS Header Duplication

Some time back, I turned on HSTS for our sites with something like this:

Header always set Strict-Transport-Security "max-age=#######"

As near as I could tell, everything was working correctly (2.4.12 presently - will be on 2.4.16 shortly).  However, one of our development teams recently added a similar HSTS directive into a backend application (which happens to be accessed via mod_cluster).  Now, browsers are seeing two different copies of this header on the response (first my values, then the backend values I intended to override).  I've verified that direct backend application connections only return one copy of that header.

I went back and took a closer look at that various documentation/tutorials scattered around the web for implementing HSTS, and it all seems to indicate "Header always set" for this purpose.  I also read the mod_headers documentation several times, but I don't see anything that provides clarity in this case

Based on our observations, I suspect that we are looking at a bug of some kind here: either a traditional error in the code or a necessary documentation fix.  Would someone please confirm how "Header always set" feature is intended to function (specifically in the presence of an existing header) so I know which direction to research and ultimately submit a patch?

Thank you,


Rick Houser

Re: HSTS Header Duplication

Posted by Eric Covener <co...@gmail.com>.

On Thu, Aug 13, 2015 at 6:28 PM, Nick Kew <ni...@webthing.com> wrote:
> On Thu, 13 Aug 2015 20:28:40 +0000
> "Houser, Rick" <ri...@jackson.com> wrote:
>
>> Some time back, I turned on HSTS for our sites with something like this:
>>
>> Header always set Strict-Transport-Security "max-age=#######"
>
> I think you're misunderstanding mod_headers and the headers structure.
> In general terms, HTTP permits duplicate headers, which may have
> different values.  For example,.multiple cookies.  So mod_headers
> lets you set them, regardless of whether they're already set.
>
> If that's not what you want, you can of course configure mod_headers
> to unset an existing header before setting a new one.  Or other
> configuration variants.

mod_headers already has 'set' vs 'add' so I think his expectation is
OK.  My first guess would be some issue with headers_out vs
err_headers_out ?

Re: HSTS Header Duplication

Posted by Nick Kew <ni...@webthing.com>.

On Thu, 13 Aug 2015 20:28:40 +0000
"Houser, Rick" <ri...@jackson.com> wrote:

> Some time back, I turned on HSTS for our sites with something like this:
> 
> Header always set Strict-Transport-Security "max-age=#######"

I think you're misunderstanding mod_headers and the headers structure.
In general terms, HTTP permits duplicate headers, which may have
different values.  For example,.multiple cookies.  So mod_headers
lets you set them, regardless of whether they're already set.

If that's not what you want, you can of course configure mod_headers
to unset an existing header before setting a new one.  Or other
configuration variants.

-- 
Nick Kew