Remove redundant http headers (!995) · Merge requests · thalia / concrexit

Ghost User requested to merge remove_redundant_headers into master Oct 13, 2018

Short description

$ curl -I https://thalia.nu/                                                              

                                           
HTTP/2 200 
server: nginx/1.14.0 (Ubuntu)
date: Fri, 12 Oct 2018 22:50:12 GMT
content-type: text/html; charset=utf-8
content-length: 23238
vary: Accept-Language, Cookie
content-language: en
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
set-cookie: csrftoken=kZ2w81nKFw1jew42B0ZKea5IK5s4mjqZDTdQBZv44qOv25WzCjF7eOMISrtZg58H; expires=Fri, 11-Oct-2019 22:50:12 GMT; Max-Age=31449600; Path=/; Secure
set-cookie: sessionid=jjwncj5k4nuz6fj5tvlajtzre0xsxrvj; expires=Fri, 26-Oct-2018 22:50:12 GMT; HttpOnly; Max-Age=1209600; Path=/; Secure
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains; preload

The x-frame-options, x-content-type-options and x-xss-protection headers are set twice (x-frame-options with two different values). These headers are set by both nginx and Django.

It would be best to let nginx handle the HTTP headers.

Remove redundant http headers

Short description

Merge request reports