I am currently trying to improve my HAProxy HTTPS configuration.
There seems to be two ways to set additional fields to response headers in HAProxy.
I currently use http-response set-header
, which should, if I understand it right:
- Check if the field exist
- If it exists, delete it
- Set the field to the new value
Some people use rspadd
instead, which should simply append the field at the end of the response header.
When working with sensitive fields like for HSTS, set-header
feels safer on the paper.
Is there any real difference between both ?
If yes which one should I prefer when setting sensitive fields in my headers ?
Best Answer
The
http-response
commands are newer (added in 1.5), adding additional functionality and flexibility to the olderrspadd
/rspdel
/etc commands. While they'll both work, it's probably better to stick with http-response for future-compatibility.