Re: Stupid question on mod_header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Probably because the header is being added later in a different sub-context.

That is, at the time apache sets the header for virtual host there is no other header of the same name defined, so there is nothing to eliminate and set instead, but then the path for the reverse proxy to tomcat is being evaluated later.

I would suppose setting it in the specific location for the path that leads to tomcat things would be different.

In any case try and see.

Regards.

El mié., 6 oct. 2021 12:09, Martin Knoblauch <knobi@xxxxxxxxxxxx> escribió:
Hi,

 sorry for asking this likely stupid question. This is with Apache HTTPD 2.4.48.

I want to change the value of the X-Frame-Options response header from DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.

Naively, because the mod_header documentation says "The response header is set, replacing any previous header with this name. The value may be a format string.", I added a single

    Header always set X-Frame-Options SAMEORIGIN

to the VirtualHost section of the httpd configuration. To my surprise my browser (FF and Chrome) has two headers now, one with DENY, one with SAMEORIGIN. And falls back to DENY :-(

When I add an unset before the set, it works

    Header unset X-Frame-Options
    Header always set X-Frame-Options SAMEORIGIN

Is my understanding of the mod_header documentation wrong, or do I miss somethiong subtle?

Cheers
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux