I’m using PHP with nginx 1.9.2 and it works great!
But there’s something I don’t understand with the add_header directive.
I use add_header in server and location block, but it seems only the one
in
location is used.
If I remove the add_header in the location block, I get the header I
added
in the server block.
Here’s a short example:
server {
add_header Strict-Transport-Security “max-age=604800;
includeSubDomains”;
location = /blah {
add_header X-Test test;
}
}
If I access /blah, I’ll only get the X-Test header, while I’d like to
get
X-Test and Strict-Transport-Security.
If I comment the add_header in the blah location and access /blah, I’ll
get
the Strict-Transport-Security header.
How can I solve this problem, without having to duplicate/include
“add_header Strict-Transport-Security” everywhere?
there is no chance to avoid the duplicates. I asked the same questions
some
time ago.
For detailed answer on my question see Re: Behavior of security headers.