duplicate security headers

Alanaktion / phproject

A high performance full-featured project management system

https://www.phproject.org

GNU General Public License v3.0

388 stars 106 forks source link

duplicate security headers #346

Closed jseutens closed 6 years ago

jseutens commented 6 years ago

There was a duplicate X-Content-Type-Options header. There was a duplicate X-Frame-Options header. There was a duplicate X-XSS-Protection header.

These headers are already implemented server side , the project website is the only one where i get the duplicate messages , Is there a way to disable these 3 security headers in your code ? The values are the same on server side as on website side.

X-Frame-Options : SAMEORIGIN X-XSS-Protection : 1; mode=block X-Content-Type-Options : nosniff

Alanaktion commented 6 years ago

There is not currently a way to disable these headers. I would recommend configuring your server to replace the headers instead of adding additional ones. On nginx, this requires the more_headers module. On Apache, this is supported by mod_headers.