Release Notes / Version 10.2101
Table Of Contents
The Apache that is deployed and configured by the provided Chef deployment was always setting the HTTP
Strict-Transport-Security
response header for HTTP and HTTPS requests. The HTTP
Strict-Transport-Security
header is not needed for HTTP requests and for HTTPS requests it was set twice, with different values, which leads to undefined behavior. As the CAE always sets the HTTP
Strict-Transport-Security
header (only) when it's actually required, it has been disabled in the Apache configuration.
(CMS-16146)