I am managing a setup where there are two ngnix application servers behind an nginx reverse proxy. I would like to set some headers like X-XSS-Protection or Strict-Transport-Security. Currently, it's set on both application servers and the load balancer and this is causing headers to be convoluted.
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.
I can see that the duplicate header values are being appended to the same header key. My question is this: What's the general convention/accepted best practice for setting headers? Should I set headers in the backend and remove them from the load balancer or should the load balancer be the one setting headers?
Best Answer
In my opinion it doesn't matter where headers are set. The advantage of setting headers in Nginx is they're really quite simple to change, compared with changing code, deploying, etc. I've had two cases where I've had to rewrite headers using either Nginx or an F5 load balancer, they give a lot more flexibility.
You would need to give a more concrete example to get more useful information, as your question is too broad.