Hello! Using Apache 2.4.16, with OpenSSL 1.0.2d, with alpn support, but *without* http/2. Today I configured a VirtualHost with GitLab (with ProxyPassReverse and RewriteRule [P,QSA] rules). I used to configure Strict-Transport-Security in VirtualHost context nowadays, and I noticed two STS headers arrived to the browser. I have this line:
Header always set Strict-Transport-Security max-age=31556952 However, GitLab also sets this header, so I got two. I don't get it. The documentation describes this: "set: The response header is set, *replacing any previous header* with this name." Replacing didn't happen. I tried then "Header always unset Strict-Transport-Security", it didn't do anything. Strangely enough, if I *remove* the always keyword, Header removal/replacement starts working, f.e. Header unset Strict-Transport-Security Header always set Strict-Transport-Security max-age=31556952 works. I guess this is a bug. Would someone look into it? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
