Skip to content

Remove redundant http headers

Joren Vrancken requested to merge remove_redundant_headers into master

Short description

$ curl -I                                                              

HTTP/2 200 
server: nginx/1.14.0 (Ubuntu)
date: Fri, 12 Oct 2018 22:50:12 GMT
content-type: text/html; charset=utf-8
content-length: 23238
vary: Accept-Language, Cookie
content-language: en
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
set-cookie: csrftoken=kZ2w81nKFw1jew42B0ZKea5IK5s4mjqZDTdQBZv44qOv25WzCjF7eOMISrtZg58H; expires=Fri, 11-Oct-2019 22:50:12 GMT; Max-Age=31449600; Path=/; Secure
set-cookie: sessionid=jjwncj5k4nuz6fj5tvlajtzre0xsxrvj; expires=Fri, 26-Oct-2018 22:50:12 GMT; HttpOnly; Max-Age=1209600; Path=/; Secure
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains; preload

The x-frame-options, x-content-type-options and x-xss-protection headers are set twice (x-frame-options with two different values). These headers are set by both nginx and Django.

It would be best to let nginx handle the HTTP headers.

Merge request reports