On Thu, Aug 13, 2015 at 6:28 PM, Nick Kew <n...@webthing.com> wrote: > On Thu, 13 Aug 2015 20:28:40 +0000 > "Houser, Rick" <rick.hou...@jackson.com> wrote: > >> Some time back, I turned on HSTS for our sites with something like this: >> >> Header always set Strict-Transport-Security "max-age=#######" > > I think you're misunderstanding mod_headers and the headers structure. > In general terms, HTTP permits duplicate headers, which may have > different values. For example,.multiple cookies. So mod_headers > lets you set them, regardless of whether they're already set. > > If that's not what you want, you can of course configure mod_headers > to unset an existing header before setting a new one. Or other > configuration variants.
mod_headers already has 'set' vs 'add' so I think his expectation is OK. My first guess would be some issue with headers_out vs err_headers_out ?