Dear list, I have enabled gzip with ... gzip on; gzip_http_version 1.0; gzip_vary on; ... to satisfy incoming HTTP 1.0 requests.
In a very similiar setup which got OWASP-evaluated, I read this - marked as a defect: "The web server sent a Vary header, which indicates that server-driven negotiation was done to determine which content should be delivered. This may indicate that different content is available based on the headers in the HTTP request." IMHO this is a false positive ... This is what I send: HTTP/1.1 200 OK Server: nginx Date: Tue, 27 May 2014 17:55:23 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Vary: Accept-Encoding X-Content-Type-Options: nosniff Content-Length: ... ... What do you think ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,250449,250449#msg-250449 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx