Prevent HTTP Headers Being Sent Twice In Responses
The nginx conf adds three security headers that are already set in the GitLab application_controller, as shown at the following URL:
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/application_controller.rb#L162
This results in the headers being sent twice, as shown below:
wget --server-response --spider --no-check-certificate https://127.0.0.1
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 29 Oct 2014 08:53:57 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=edge
Strict-Transport-Security: max-age=31536000
ETag: "5bdf7a2806e69e538a1ff3ea60e2cf92"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _gitlab_session=34dc882bfa6fd21dfde1651d9c6847ce; path=/; expires=Wed, 05 Nov 2014 08:53:57 -0000; secure; HttpOnly
X-Request-Id: f04beca7-114e-4fa9-9a8d-73f153dc349f
X-Runtime: 0.013610
Strict-Transport-Security: max-age=63072000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
This issue affects the latest version of GitLab (7.4.2-omnibus-1).
Edited by GitLab Release Tools Bot