Duplicate Strict-Transport-Security if set by upstream

[amq]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): This is a bug report

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): duplicate header, more_set_headers, proxy_hide_header, mismatching security header values

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version: 0.26.1

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.1", GitCommit:"d647ddbd755faf07169599a625faf302ffc34458", GitTreeState:"clean", BuildDate:"2019-10-02T17:01:15Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.7-gke.24", GitCommit:"2ce02ef1754a457ba464ab87dba9090d90cf0468", GitTreeState:"clean", BuildDate:"2019-08-12T22:05:28Z", GoVersion:"go1.11.5b4", Compiler:"gc", Platform:"linux/amd64"}

Same thing after updating to 1.14:

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.1", GitCommit:"d647ddbd755faf07169599a625faf302ffc34458", GitTreeState:"clean", BuildDate:"2019-10-02T17:01:15Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.6-gke.13", GitCommit:"acdb9a03a6dc0f7f62d7acdda75c9a9faca50fee", GitTreeState:"clean", BuildDate:"2019-09-20T23:13:58Z", GoVersion:"go1.12.9b4", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: GKE
• OS (e.g. from /etc/os-release): Ubuntu 18.04.2
• Kernel (e.g. uname -a): 4.15.0-1034-gke
• Install tools: helm stable chart v1.24.3
• Others:

What happened:

Upstream sets Strict-Transport-Security like this:

Strict-Transport-Security: max-age=15552000; includeSubDomains

When I examine the response headers of nginx-ingress using curl -I, I get:

strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15552000; includeSubDomains

What you expected to happen:

The upstream header should have been replaced at nginx-ingress.

How to reproduce it (as minimally and precisely as possible):

<?php
header('Strict-Transport-Security: max-age=15552000; includeSubDomains');

// also reproduces
// header('strict-transport-security: max-age=15552000; includeSubDomains');
exit;
?>

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello
  labels:
    app: hello
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: hello.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: hello
          servicePort: 80
  tls:
  - secretName: hello

helm upgrade -i nginx-ingress stable/nginx-ingress --namespace nginx-ingress \
    --set controller.service.loadBalancerIP=redacted \
    --set controller.replicaCount=2 \
    --set controller.service.externalTrafficPolicy=Local

Anything else we need to know:

[amq]

Most probably introduced in #4601
@ElvinEfendi

[aledbf]

Closing. Fixed in #4868