Hi,

Some value are not appearing in the headers of the request when using console, this triggers some false positive on security reports.

Example from local Laravel 10 environment (WSL2) and bepsvpt/secure-header ^7.3:

But in the network console:

Is this normal? Am I doing something wrong?

That's just one example, it could have other like this.

Thanks

Hey @incoming-th ,

For the keywords such as self and none, these must be represented as array keys. Changing your configuration to the following should hopefully fix the issue for you

'frame-ancestors' => [
    'none' => true            
],

I might raise a new PR to add these options with the default as false in the PR, as I was running into the same issue as you, and took me a while to figure it out