0

I've set HSTS in a common .htaccess which is being used by multiple sites.

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

But when a site has already set HSTS header from the virtual host configuration, then there happens to be two HSTS header added to the response.

So before I set HSTS on .htaccess, how do I check if an HSTS header is already present?

Tom
  • 316
  • 2
  • 9
  • 30

3 Answers3

2

It's ok with Header set. There would be a problem if you had used Header add.

add : The response header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set, append or merge should be used instead.

set : The response header is set, replacing any previous header with this name. The value may be a format string.

https://httpd.apache.org/docs/current/en/mod/mod_headers.html

Croises
  • 18,570
  • 4
  • 30
  • 47
2

Alternatively use setifempty

Header always setifempty Strict-Transport-Security "max-age=31536000" env=HTTPS
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • 1
    Thanks - but `SetIfEmpty available in 2.4.7 and later, expr=value available in 2.4.10 and later`. – Tom Nov 01 '17 at 09:33
0

As @Croises reported, it should by default just overwrite but in my case, it turns out the header set by the virtual host configs were using the always keyword hence the header set by .htaccess was also added.

You could also use setifempty but in my case my Apache wasn't the latest (only supported for 2.4.7 onwards) So I had to do like below to make it work.

Header always unset Strict-Transport-Security
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Tom
  • 316
  • 2
  • 9
  • 30