From 260ef6dc9d0bbad280e97394c27ed3766ae6dd87 Mon Sep 17 00:00:00 2001 From: Veit Date: Tue, 19 Apr 2022 23:09:20 +0200 Subject: [PATCH] Remove duplicate HSTS header on Apache if mod_headers is loaded On Apache httpd, ./.htaccess sets HSTS if mod_headers is loaded, but though ./v/0.0.0/include.php does the same if envvar "HTTPS" is set, resulting in duplicate and thus invalid HSTS headers. One needs to go. --- .htaccess | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.htaccess b/.htaccess index 0e6142e36..449dcc730 100644 --- a/.htaccess +++ b/.htaccess @@ -23,7 +23,7 @@ # Header set Cache-Control "public, max-age=31536000" # Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'" # Header set Referrer-Policy "no-referrer" - Header set Strict-Transport-Security "max-age=31536000" +# Header set Strict-Transport-Security "max-age=31536000" Header set imagetoolbar "no" # Header set X-Content-Type-Options "nosniff" # Header set X-Frame-Options "DENY"