Why are X-Content-Type-Options, X-XSS-Protection headers not returned on https?

E

Elizabeth Lawrence2019-03-26 23:33:12

Nginx

Elizabeth Lawrence, 2019-03-26 23:33:12

Hello everybody. I have an nginx server in conjunction with php-fpm. In the nginx config (etc/nginx/nginx.conf) in the http block I wrote:

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1;mode=block";

When my site was opened via http, these headers were returned from the server, as soon as I switched to https and set a redirect, the server does not return these headers on the https version of the page. Tell me, please, why?
I checked the server response by entering the domain name without protocol and got this picture:

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

dodo512, 2019-03-26
@Svoeobraznaya

nginx.org/ru/docs/http/ngx_http_headers_module.htm...
The server block for https has a add_header Strict-Transport-Security, so directives from the previous level are not inherited.