Prevent HTTP Headers Being Sent Twice In Responses (!233) · Merge requests · GitLab.org / omnibus-gitlab

username-removed-65546 requested to merge ph1ll/omnibus-gitlab:master into master Oct 29, 2014

The nginx conf adds three security headers that are already set in the GitLab application_controller, as shown at the following URL:

https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/application_controller.rb#L162

This results in the headers being sent twice, as shown below:

wget --server-response --spider --no-check-certificate https://127.0.0.1

HTTP/1.1 200 OK
  Server: nginx
  Date: Wed, 29 Oct 2014 08:53:57 GMT
  Content-Type: text/html; charset=utf-8
  Connection: keep-alive
  Status: 200 OK
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  X-UA-Compatible: IE=edge
  Strict-Transport-Security: max-age=31536000
  ETag: "5bdf7a2806e69e538a1ff3ea60e2cf92"
  Cache-Control: max-age=0, private, must-revalidate
  Set-Cookie: _gitlab_session=34dc882bfa6fd21dfde1651d9c6847ce; path=/; expires=Wed, 05 Nov 2014 08:53:57 -0000; secure; HttpOnly
  X-Request-Id: f04beca7-114e-4fa9-9a8d-73f153dc349f
  X-Runtime: 0.013610
  Strict-Transport-Security: max-age=63072000
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff

This issue affects the latest version of GitLab (7.4.2-omnibus-1).

Admin message

Admin message

Prevent HTTP Headers Being Sent Twice In Responses

Merge request reports