When I recently curled my company's website, some headers appear to be duplicated in both names and values. For example, this is the full response from curl:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Dec 2016 15:54:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 53272
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Frame-Options: ALLOW-FROM https://policygenius1424796031.zendesk.com/
ETag: W/"2515e7e2b57063c8029ea978bf98b6e7"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: analytics_id=OW53dllLeGVPZ1YzR21vOVRvU1V5WjRBeklGNHdXeERpNVNNM3ZLd2djcnpBUjlnTzRWblFIYitHM0VtdWUzei0tN284NTV3RUVrRm9nVkhpTm1NZU5qQT09--b43227e963c8680e5b2984c13483e65ae67c8b6a; path=/; expires=Wed, 18 Jan 2017 15:54:37 -0000
Set-Cookie: request_method=HEAD; path=/
Set-Cookie: _policy_genius_session=bUVTYW5KU2FzQTh2bG44WEdvcExWK2d4NzJtNUlOSnpqUWhzL2tVSkhFTUNuODFWVkhmYU9mWVUySlpDbmlkdCttbVpZOXV0NHVYY3VWbFphYlA2S0tOdmROSFVMNUJ1QWNMMFpMcm5DZGEyTkdqSTBMMnNoTi9mMmJ2L01lSlRuSGhmMk8ydXBOYVNNcXA1Z1crWXUvelpvSDlYdWFZYjYxc0p2MGdPYnhNNm1FSFpDSFpYSU9Jb3F2UFhMQTVoTm12cXQ4bEdNMkpaVy95cWVQK094RXkwVmo5ZlE0UXdoMzA3LzJiQllkMW9jZS9xZmpiMEI0ZHFVMTNQSHlBbi0tSE51NGZyeEx2Nk95c3NxNWtHbjNhUT09--d1107337bb68f2861ffc6f081012441bd7554501; path=/; HttpOnly
X-Request-Id: 4a812c77-719e-4163-a665-5059a2b1e3a6
X-Runtime: 0.133390
Vary: Origin
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
Notice Strict-Transport-Security and Vary are duplicates and have same values too. I am aware that it's ok to have duplicate header names with different values (here), but same values?
Second part of the question: is anyone aware of negative effects of such duplication?
Related
I'm having problems with JWT cookies set by Set-Cookie headers.
After correct credentials are sent, the backend returns these headers for a website website.com and path website.com#login and backend is on a different domain backend.com`:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://website.com
Allow: POST, OPTIONS
Connection: keep-alive
Content-Length: 678
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Mon, 28 Feb 2022 14:39:55 GMT
Referrer-Policy: same-origin
Server: nginx/1.18.0 (Ubuntu)
Set-Cookie: jwt-access-token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjQ2MDYyxxxxxxxxxxxxxxxxxxxxxxxxx4MTE5YzQzM2JiYmE0MDFlMWNlYTNiZDM4IiwidXNlcl9pZCI6MTAwMDB9.ut8VUSKDHTi4zTOY5Gr0qlbWG7pYhxxfok_rE1Pju74; expires=Mon, 28 Feb 2022 15:39:55 GMT; Max-Age=3600; Path=/; SameSite=None; Secure
Set-Cookie: jwt-refresh-token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTY0ODY1xxxxxxxxxxxxxxxxxxxxxxxxxxxxdGkiOiI4YzJlZWFkZWIxMjI0MDBkYTYwNWJmMDkwMjM5ODhkNCIsInVzZXJfaWQiOjEwMDAwfQ.-CE1JvtXhoLksKfxIf2bM8u80U4Fcr83yaoEmqqs2SI; expires=Wed, 30 Mar 2022 14:39:55 GMT; Max-Age=2592000; Path=/; SameSite=None; Secure
Set-Cookie: csrftoken=mugKGWG8R4936Dxxxxxxxxxxxxxxxxxxxxxxxx9XElIy704ZuDau; expires=Mon, 27 Feb 2023 14:39:55 GMT; Max-Age=31449600; Path=/; SameSite=None; Secure
Set-Cookie: sessionid=1heuj9ui88xxxxxxxxxtrahr; expires=Mon, 14 Mar 2022 14:39:55 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=None; Secure
Vary: Accept, Cookie, Origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
You can see Set-Cookie headers but they are not set and sent with the next requests.
Do you know where is the problem? I've turned off "httpOnly" param but that didn't help.
I want to make sure that some of my responses will not be cached by anyone.
One of the advised options is to set Vary: *.
Unfortunately my nginx which has enabled gzip support returns me two Vary headers if i add add_header "Vary" "*";
HTTP/1.1 200 OK
Server: nginx/1.11.1
Date: Mon, 16 Jan 2017 14:56:16 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Vary: *
Any idea how to force having only Vary: * in responses and gzip support for the request on?
gzip_vary off;
should stop gzip from auto-adding Vary header.
docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_vary
When I test my site using http://www.webpagetest.org/. It says that I have not set cache expiration header on the home page. When I curl, I see it is set:
HTTP/1.1 200 OK
Date: Wed, 23 Mar 2016 22:31:17 GMT
Server: Apache/2.2.22 (Ubuntu)
Cache-Control: max-age=691200, public
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Request-Id: aa9fc904-2af6-4649-bbb2-dfc308172c08
ETag: W/"0011b34ba2dd655ce7380a1014310370"
X-Frame-Options: SAMEORIGIN
X-Runtime: 0.010013
X-Content-Type-Options: nosniff
X-Powered-By: Phusion Passenger 5.0.25
Set-Cookie: request_method=HEAD; path=/; secure
Set-Cookie: _lafon_session=V21Yc1RlSUlRPT0%3Ddaea; path=/; secure; HttpOnly
Status: 200 OK
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Any ideas on why webpagetest.org thinks the header is not set?
http://www.webpagetest.org/ wrongly expects Expires header to be set, forgetting about full analog with higher priority - max-age.
Everything is ok with your site.
I have two identical instances of an application - one on my local machine the other one on a VPS.
The problem ist, that my local instance sends the expected headers:
[rico#local]$ curl -I app.local
HTTP/1.1 302 Found
Server: nginx/1.6.0
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.5.14
Set-Cookie: PHPSESSID=9sh2e9uo9b56sdvhrruakigvd7; path=/
Cache-Control: max-age=0, must-revalidate, no-store, nocache, private
Date: Thu, 14 Aug 2014 14:51:30 GMT
Location: /login
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Whereas the instance on the VPS send some other (wrong) headers:
[rico#local]$ curl -I app.vps
HTTP/1.1 302 Found
Server: nginx/1.6.0
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Set-Cookie: PHPSESSID=me5h90pj59g0rh62rjlghtjsi0; path=/
Cache-Control: max-age=315360000
Date: Thu, 14 Aug 2014 14:52:40 GMT
Location: /login
Expires: Thu, 31 Dec 2037 23:55:55 GMT
What / who might be rewriting my headers?
So, I wrote a program than is supposes to connected to a server, and it returns the time. It works on my server, but when I tried to use it on another server, it responses oddly. Here is the response from my server:
HTTP/1.1 200 OK
Date: Tue, 07 Jan 2014 00:06:20 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Set-Cookie: PHPSESSID=jlscamqbddtqibf9j7m0fu27p5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6
Connection: close
Content-Type: text/html
4:06pm
which works great. Now here is the response from the other server (doesn't work):
HTTP/1.1 200 OK
Date: Tue, 07 Jan 2014 00:06:34 GMT
Server: Apache
Set-Cookie: PHPSESSID=krlqmoqgpiqm9b9u27agup53c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
6
4:06pm
0
As you can see I'm getting some weird stuff before and after the expected response. The code on the server is exactly the same. And the code on the Arduino is the same except for the a couple strings.
Here is a pastebin of the code I am using: http://pastebin.com/TFF5h2Gw
Sorry there aren't a lot of comments and it's kinda jumbled together. I omitted a little bit of code that is used by other stuff that I haven't even gotten to test yet because I can't even get the time.
What you are seeing is a chunk-encoded response. That is okay as all HTTP/1.1 capable clients are supposed to understand this transport encoding. What is wierd is that the server is not explicitly marking the response as being chunk-encoded (This is usually done via the Transer-Encoding: chunked header).
A quick way to get rid of this is to issue a HTTP/1.0 request.