Cache overwrites security headers with Concrete 9.2.0

Hello all,

I work on Concrete v 9.2.0,
I tried adding security headers in system&settings->Environment->security.
I noticed that the settings are fine the first time I check in the browser console after clearing the concrete cache, but
when pages are displayed from cache, there are no more security headers.

Thanks for your help.

Hi @AJR - that sounds like it might be a core bug - are you able to recreate it on a demo site here?

Hello @EvanCooper and thanks to you for your reply.

I recreate bug on demo site

When pages are display without cache, I have two different rules for Stric-transport-Security and X-Frame6Options and one for Content-Security-Policy.
When pages are display with cache, I have not my values of security headers in system&settings->Environment->security.

Thanks for your help.

You’re welcome @AJR - then yes definitely create a new issue → bug report here with this information:

And hopefully a fix can get added in the new version. Thanks!