Add_header twice in nginx vHost?

JonSmith · August 27, 2019, 4:03pm

In the admin manual sample nginx configuration

the following headers are set in the server block:

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

and again in this location block:

location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

Why do we have to set them twice?

And why is there no “always” at the end of each line?
Wouldn’t that be a more secure configuration?

Schmu · August 27, 2019, 4:20pm

You are right, this would be more secure.
Therefore this will be added with the next major release NC17 (Beta 2 already available).

I don’t know the answer to the that question.

Bernie_O · August 27, 2019, 10:53pm

See here: