PHP-FPM, PHP duplicates header instead of replacing it

[interfasys]

There is a header problem which is affecting PHP applications. Before I report it upstream, I want to make sure it's not due to the way CB does things.

Apache inserts a Strict-Transport-Security header and some PHP apps add headers via lines like this

header('Strict-Transport-Security: max-age=31536000');

When you analyse the request in the browser, you get either twice the parameters or twice the headers, depending on the browser, because some try to merge them.

Would there be a CB reason PHP-FPM is not correctly adding headers?

 

[smtalk]

CB 2.0 doesn't touch Strict-Transport-Security at all. Is it standalone apache or nginx+apache? I'd recommend running something like:

grep -r 'Strict-Transport-Security' /home/[B]user[/B]/domains/[B]domain.com[/B]/public_html

To be sure that you don't have it specified twice in your code (and/or .htaccess).

 

[interfasys]

Thanks for the reply.
I was wondering if maybe some headers were getting modified through the proxy, but it turns out it was a problem with our Apache config, we were using "header add" instead of "header set"... Mistery solved!

Having said that, I've heard people complaining about double headers with NGINX and looking at the doc, it's always header_add...