Bug #2709
closedsetenv.add-response-header does not accumulate
Description
If adding response headers more than once with += only the last configuration is respected.
Example:
setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains" )
and later:
setenv.add-response-header += ( "X-Content-Type-Options" => "nosniff" )
only the last header is added, here "X-Content-Type-Options".
With alias.url the operator += works fine, so I expected this working here the same way.
My current workaround is:
setenv.add-response-header += (
"X-Content-Type-Options" => "nosniff",
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains"
)
but then I have to repeat the Strict-Transport-Security header multiple times ...
Updated by flynn over 9 years ago
I recognized, that it does not happen on all my servers.
The described behaviour only happens, if the second statement of setenv.add-response-header
is inside a host-group:
$HTTP["host"] =~ .... { setenv.add-response-header += ( "X-Content-Type-Options" => "nosniff" ) }
The first setenv.add-response-header is not inside a host-group, so I expected it is global.
Bug or intended feature?
Updated by stbuehler over 9 years ago
- Status changed from New to Invalid
It is the way the config works, +=
is evaluated as a preprocessing step. Try the -p
option to see how lighttpd actually sees your config.
Updated by gstrauss about 9 years ago
Related tickets with some discussion:
https://redmine.lighttpd.net/issues/2597
https://redmine.lighttpd.net/issues/2685
Also available in: Atom