Describe the bug
Any website on the listed.to domain and all listed.to custom domains return multiple x-frame-options headers. They're also both different (sameorigin and deny). Browsers don't expect multiple x-frame-options headers and this results in undefined behavior. You should only send a single x-frame-options header.
To Reproduce
Steps to reproduce the behavior:
Go to listed.to
Look at the HTTP headers
MoreX-Content-Type-Options is also doubled up, but contains the same content both times. Could still confuse some browsers and should be avoided. Also you probably don't want to send X-Powered-By and Server headers in production.
Describe the bug Any website on the listed.to domain and all listed.to custom domains return multiple x-frame-options headers. They're also both different (sameorigin and deny). Browsers don't expect multiple x-frame-options headers and this results in undefined behavior. You should only send a single x-frame-options header.
To Reproduce Steps to reproduce the behavior:
More X-Content-Type-Options is also doubled up, but contains the same content both times. Could still confuse some browsers and should be avoided. Also you probably don't want to send X-Powered-By and Server headers in production.