Duplicate headers result in 'cannot be recognized'

[taladar]

This particular error could maybe be handled separately from a completely unrecognized header. It is the result of a reverse proxy and the actual web server both setting the header to nosniff in this case (though e.g. X-Frame-Options, X-XSS-Protection and similar checks seem to be affected by this too).

        "x-content-type-options": {
            "expectation": "x-content-type-options-nosniff",
            "name": "x-content-type-options",
            "output": {
                "data": "nosniff, nosniff"
            },
            "pass": false,
            "result": "x-content-type-options-header-invalid",
            "score_description": "X-Content-Type-Options header cannot be recognized",
            "score_modifier": -5
        },

[april]

Yeah, this is something that I was aware of but simply didn't fix because of time constraints. Now that there's a bug I'll probably look at fixing it at some point. ;)

FWIW, it is pretty important to fix these -- I have found that different browsers behave wildly differently if you sent two XFO or XTCO headers because of the way that the HTTP specification says that they're supposed to work.

[taladar]

I didn't mean that duplicate headers should be ignored, I just meant that the error message when not using the debug option could be more specific.

[april]

Yep, totally. :)