When a CF app is a proxy for another CF app, the security headers get doubled:
The above is for https://fec-proxy.18f.gov/data/static/img/seal--white.svg (though it is behind HTTP Basic Auth, so will halt with a 401 if you just curl it directly).
The HSTS header is not doubled, because there is logic to allow an app to override the CF intermediate proxy value if the header is already set.
Cloud.gov can fix the above by applying the same conditional logic to the other security headers as it does for the HSTS header. This would also provide apps the same flexibility to modify the security policy that CF sets, to be either stricter or looser, if the app has a good reason to do so.
When a CF app is a proxy for another CF app, the security headers get doubled:
The above is for
https://fec-proxy.18f.gov/data/static/img/seal--white.svg(though it is behind HTTP Basic Auth, so will halt with a 401 if you just curl it directly).The HSTS header is not doubled, because there is logic to allow an app to override the CF intermediate proxy value if the header is already set.
Cloud.gov can fix the above by applying the same conditional logic to the other security headers as it does for the HSTS header. This would also provide apps the same flexibility to modify the security policy that CF sets, to be either stricter or looser, if the app has a good reason to do so.