## Summary When making requests to https://gitlab.com the response returned contains 2 __Referrer-Policy__ headers set with the same value (`strict-origin-when-cross-origin`). ## Steps to reproduce 1. Use curl to make a request to https://gitlab.com and inspect headers returned: `curl -v https://gitlab.com` 1. Response: ``` * Rebuilt URL to: https://gitlab.com/ * Trying 35.231.145.151... * TCP_NODELAY set * Connected to gitlab.com (35.231.145.151) port 443 (#0) * schannel: SSL/TLS connection with gitlab.com port 443 (step 1/3) * schannel: checking server certificate revocation * schannel: sending initial handshake data: sending 175 bytes... * schannel: sent initial handshake data: sent 175 bytes * schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3) * schannel: encrypted data got 4096 * schannel: encrypted data buffer: offset 4096 length 4096 * schannel: encrypted data length: 4022 * schannel: encrypted data buffer: offset 4022 length 4096 * schannel: received incomplete message, need more data * schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3) * schannel: encrypted data got 876 * schannel: encrypted data buffer: offset 4898 length 5046 * schannel: sending next handshake data: sending 126 bytes... * schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3) * schannel: encrypted data got 242 * schannel: encrypted data buffer: offset 242 length 5046 * schannel: SSL/TLS handshake complete * schannel: SSL/TLS connection with gitlab.com port 443 (step 3/3) * schannel: stored credential handle in session cache > GET / HTTP/1.1 > Host: gitlab.com > User-Agent: curl/7.55.1 > Accept: */* > * schannel: client wants to read 102400 bytes * schannel: encdata_buffer resized 103424 * schannel: encrypted data buffer: offset 0 length 103424 * schannel: encrypted data got 1784 * schannel: encrypted data buffer: offset 1784 length 103424 * schannel: decrypted data length: 1755 * schannel: decrypted data added: 1755 * schannel: decrypted data cached: offset 1755 length 102400 * schannel: encrypted data buffer: offset 0 length 103424 * schannel: decrypted data buffer: offset 1755 length 102400 * schannel: schannel_recv cleanup * schannel: decrypted data returned 1755 * schannel: decrypted data buffer: offset 0 length 102400 < HTTP/1.1 302 Found < Server: nginx < Date: Wed, 25 Sep 2019 08:56:45 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 91 < Cache-Control: no-cache < Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; img-src * data: blob:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com 'nonce-PzDoWrhXvte/oUpg5Yh/VA=='; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob: < Location: https://about.gitlab.com/ < Referrer-Policy: strict-origin-when-cross-origin < X-Content-Type-Options: nosniff < X-Download-Options: noopen < X-Frame-Options: DENY < X-Permitted-Cross-Domain-Policies: none < X-Request-Id: dOzrFFWcTf4 < X-Runtime: 0.015471 < X-Ua-Compatible: IE=edge < X-Xss-Protection: 1; mode=block < Strict-Transport-Security: max-age=31536000 < Referrer-Policy: strict-origin-when-cross-origin < GitLab-LB: fe-17-lb-gprd < GitLab-SV: web-34-sv-gprd < <html><body>You are being <a href="https://about.gitlab.com/">redirected</a>.</body></html>* Connection #0 to host gitlab.com left intact ``` `Referrer-Policy: strict-origin-when-cross-origin` is added twice. ## Configuration used N/A ## Current behavior The __Referrer-Policy__ header is added twice. ## Expected behavior The __Referrer-Policy__ header is only added once. ## Versions GitLab.com is running version 12.3.0-pre ## Relevant logs N/A