Skip to content

Duplicate Security Headers #7394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zzcoder opened this issue Sep 6, 2019 · 1 comment
Closed

Duplicate Security Headers #7394

zzcoder opened this issue Sep 6, 2019 · 1 comment
Assignees
@eleftherias
Labels
status: duplicate A duplicate of another issue

Comments

@zzcoder
Copy link

zzcoder commented Sep 6, 2019
edited
Loading

Summary

When default security headers are added using HttpSecurity.headers(), some headers are added twice when async request is used.

Actual Behavior

The X-Content-Type-Options header appears twice,

    HTTP/1.1 200
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Transfer-Encoding: chunked
    Date: Fri, 06 Sep 2019 20:04:03 GMT

Expected Behavior

No duplicate headers.

Configuration

It only happens with async request when payload is larger than buffer (16K).

Version

org.springframework.security:spring-security-web:5.1.6.RELEASE

Sample

This is a minimal test that reproduces the problem,

https://github.com/zzcoder/header-test
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 6, 2019
@eleftherias
Copy link
Contributor

Closing as a duplicate of #4211.
This issue is fixed in all currently supported versions of Spring Security.

@eleftherias eleftherias self-assigned this Mar 10, 2022
@eleftherias eleftherias added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zzcoder @eleftherias @spring-projects-issues