"Connection: close" is not a security header

diff --git a/pdns/dnsdist-web.cc b/pdns/dnsdist-web.cc
index 998af91e4c86e26587d8e2afd709dfdb42911810..18d6d44372fef443bb92c2da885823921fa70d71 100644 (file)
--- a/pdns/dnsdist-web.cc
+++ b/pdns/dnsdist-web.cc
@@ -194,7 +194,6 @@ static void addSecurityHeaders(YaHTTP::Response& resp, const boost::optional<std
     { "X-Permitted-Cross-Domain-Policies", "none" },
     { "X-XSS-Protection", "1; mode=block" },
     { "Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'" },
-    { "Connection", "close" },
   };
 
   for (const auto& h : headers) {
@@ -275,6 +274,8 @@ static void connectionThread(int sock, ComboAddress remote, string password, str
 
     addCustomHeaders(resp, customHeaders);
     addSecurityHeaders(resp, customHeaders);
+    /* indicate that the connection will be closed after completion of the response */
+    resp.headers["Connection"] = "close";
 
     /* no need to send back the API key if any */
     resp.headers.erase("X-API-Key");

diff --git a/pdns/dnsdistdist/docs/guides/webserver.rst b/pdns/dnsdistdist/docs/guides/webserver.rst
index c36f8f392ed44c2e25babde81e1c3c22750b28b9..1f29bad0c81849d4901cd5f49def7677df143a24 100644 (file)
--- a/pdns/dnsdistdist/docs/guides/webserver.rst
+++ b/pdns/dnsdistdist/docs/guides/webserver.rst
@@ -21,7 +21,6 @@ By default, our web server sends some security-related headers::
    X-Permitted-Cross-Domain-Policies: none
    X-XSS-Protection: 1; mode=block
    Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
-   Connection: close
 
 You can override those headers, or add custom headers by using the last parameter to :func:`webserver`.
 For example, to remove the X-Frame-Options header and add a X-Custom one: