https://httpd.apache.org/docs/current/mod/mod_headers.html
The optional argument condition determines which internal table of response headers this directive works with: onsuccess (default, can be omitted) or always. The difference between the two lists is that the headers contained in the latter are added to the response even in case of error, and persist across internal redirections (e.g. ErrorDocument handler). Also note that repeating this directive with both conditions is useful in some scenarios because always is not a superset of onsuccess with respect to existing headers:
You are adding a header to a locally generated non-success response (not 2xx), such as a redirect. In this case, only the table that always corresponds is used in the final response.
You modify or remove a header generated by a CGI script or by mod_proxy_fcgi. In this case, the headers of the CGI script are in the table that corresponds to always, not in the default table.
You are changing or removing a header that was generated by part of the server, but that header is not found by the default onsuccess condition.
Currently I have in my .htaccess among others the following
- Code: Select all
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload".
Now Apache tells me that "always" refers to other tables. Namely also to erroneous requests or outputs, as it happens with errors in the range Error 5xx.
I just don't understand this at all, the internet is full of chaos. Maybe we can clarify this here and clear up the myths.
- Code: Select all
Wouldn't it be more intelligent to write the following in the htacces Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
and additionally
- Code: Select all
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload".
Currently I have for all entries of the header the specification
- Code: Select all
always
Can someone please explain this to me clearly for a noob? Thanks ☺
PS: Please no hate. The server is maintained by a company (firewall, security, etc.), but I am responsible for setting up the .htaccess file myself.