Security headers are duplicated (X-UA-Compatible, X-Content-Type-Options, X-Frame-Options)

Created on 9 March 2022, almost 3 years ago
Updated 26 February 2024, 10 months ago

Problem/Motivation

When doing a scan we had some issues and it seems due to some of the security headers becoming "invalid" due to them being duplicated.

X-UA-Compatible: IE=edge, IE=edge
X-Content-Type-Options: nosniff, nosniff
X-Frame-Options: SAMEORIGIN, SAMEORIGIN

Steps to reproduce

Install bigpipe sessionless and inspect headers on one of the responses to a "primed" cached page (i.e. second request after the BigPipe response)

Proposed resolution

Unsure, it appears to be related to "filtering" the response prior to placing into page cache, which causes headers to be added a second time.

Remaining tasks

-

User interface changes

-

API changes

-

Data model changes

-

🐛 Bug report
Status

Needs work

Version

2.0

Component

Code

Created by

🇬🇧United Kingdom Driskell

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • Needs manual testing

    The change/bugfix cannot be fully demonstrated by automated testing, and thus requires manual testing in a variety of environments.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024