Duplicate headers

[dennisbaaten]

When headers occur more than once, domains currently pass the test. Other testing platforms (Mozilla Observatory and Security Headers) seem to reject this. We should like into this and decide how we want to deal with such scenario's. @mxsasha stated that it's customary to use the last header in case there are duplicates.

[dennisbaaten]

Probably related to: https://github.com/internetstandards/Internet.nl/issues/1023 https://github.com/internetstandards/Internet.nl/issues/1199 https://github.com/internetstandards/Internet.nl/issues/1038

[bwbroersma]

Depends on the spec, I see the double headers mainly with HSTS (with of course a preload only on the www). In those cases I think it should be valid, but with :warning: warning since it's a clear misconfiguration (same as HSTS on http). In case of CSP it's actually valid to have multiple CSP headers (although an :information_source: info would be nice): 8.1. The effect of multiple policies - Content Security Policy Level 3 - W3C.

[dennisbaaten]

The person that reported the issue stated the following:

Last week, we had an issue and several headers were duplicated (X-Content-Type-Options and X-Frame-Options).
Sites like Mozilla Observatory and Security Headers were complaining but Internet.nl was still showing these headers as good / green. Might be something to check.

[bwbroersma]

Looks like multiple X-Frame-Options are allowed (and the first one is used), see 7.6 The X-Frame-Options header. I cannot find any documentation about double X-Content-Type-Options headers.