From: Bastian Blank <waldi@debian.org>
Date: Mon, 26 Mar 2018 18:48:08 +0000 (+0200)
Subject: Only set headers in apache if they don't exist
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f7ba01f01712f55d31804bbb764b31dadfeb5ebf;p=mirror%2Fdsa-puppet.git

Only set headers in apache if they don't exist

"Header always setifempty" does not work with proxied requests, as the
header from the response is added in the second header table.  This
means both tables want to set the headers.  The only way out seems to
check by hand if the header already exists somewhere.

Signed-off-by: Bastian Blank <waldi@debian.org>
---

diff --git a/modules/apache2/files/headers b/modules/apache2/files/headers
index 15d3b0864..89e693324 100644
--- a/modules/apache2/files/headers
+++ b/modules/apache2/files/headers
@@ -1,9 +1,9 @@
 <IfModule mod_headers.c>
   Header set X-Clacks-Overhead "GNU Terry Pratchett"
 
-  Header always setifempty X-Content-Type-Options "nosniff"
-  Header always setifempty X-Frame-Options "sameorigin"
-  Header always setifempty Referrer-Policy "no-referrer"
-  # Header always setifempty X-Xss-Protection "1; mode=block"
-  Header always setifempty X-Xss-Protection "1"
+  Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"
+  Header always set X-Frame-Options "sameorigin" "expr=-z %{resp:X-Frame-Options}"
+  Header always set Referrer-Policy "no-referrer" "expr=-z %{resp:Referrer-Policy}"
+  # Header always set X-Xss-Protection "1; mode=block" "expr=-z %{resp:X-Xss-Protection}"
+  Header always set X-Xss-Protection "1" "expr=-z %{resp:X-Xss-Protection}"
 </IfModule>