From f7ba01f01712f55d31804bbb764b31dadfeb5ebf Mon Sep 17 00:00:00 2001 From: Bastian Blank Date: Mon, 26 Mar 2018 20:48:08 +0200 Subject: [PATCH] Only set headers in apache if they don't exist "Header always setifempty" does not work with proxied requests, as the header from the response is added in the second header table. This means both tables want to set the headers. The only way out seems to check by hand if the header already exists somewhere. Signed-off-by: Bastian Blank --- modules/apache2/files/headers | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/apache2/files/headers b/modules/apache2/files/headers index 15d3b0864..89e693324 100644 --- a/modules/apache2/files/headers +++ b/modules/apache2/files/headers @@ -1,9 +1,9 @@ Header set X-Clacks-Overhead "GNU Terry Pratchett" - Header always setifempty X-Content-Type-Options "nosniff" - Header always setifempty X-Frame-Options "sameorigin" - Header always setifempty Referrer-Policy "no-referrer" - # Header always setifempty X-Xss-Protection "1; mode=block" - Header always setifempty X-Xss-Protection "1" + Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}" + Header always set X-Frame-Options "sameorigin" "expr=-z %{resp:X-Frame-Options}" + Header always set Referrer-Policy "no-referrer" "expr=-z %{resp:Referrer-Policy}" + # Header always set X-Xss-Protection "1; mode=block" "expr=-z %{resp:X-Xss-Protection}" + Header always set X-Xss-Protection "1" "expr=-z %{resp:X-Xss-Protection}" -- 2.20.1