Probably because the header is being added later in a different sub-context.
That is, at the time apache sets the header for virtual host there is no other header of the same name defined, so there is nothing to eliminate and set instead, but then the path for the reverse proxy to tomcat is being evaluated later. I would suppose setting it in the specific location for the path that leads to tomcat things would be different. In any case try and see. Regards. El mié., 6 oct. 2021 12:09, Martin Knoblauch <kn...@knobisoft.de> escribió: > Hi, > > sorry for asking this likely stupid question. This is with Apache HTTPD > 2.4.48. > > I want to change the value of the X-Frame-Options response header from > DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53. > > Naively, because the mod_header documentation says "The response header is > set, replacing any previous header with this name. The value may be a > format string.", I added a single > > Header always set X-Frame-Options SAMEORIGIN > > to the VirtualHost section of the httpd configuration. To my surprise my > browser (FF and Chrome) has two headers now, one with DENY, one with > SAMEORIGIN. And falls back to DENY :-( > > When I add an unset before the set, it works > > Header unset X-Frame-Options > Header always set X-Frame-Options SAMEORIGIN > > Is my understanding of the mod_header documentation wrong, or do I miss > somethiong subtle? > > Cheers > Martin > -- > ------------------------------------------------------ > Martin Knoblauch > email: k n o b i AT knobisoft DOT de > www: http://www.knobisoft.de >
