curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

[gilles]

I am getting the following error on two of my websites after adding the following custom headers:

# X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
# X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
# X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
# Referrer-Policy
Header always set Referrer-Policy "strict-origin"
# Content-Security-Policy
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://ajax.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/v3/ https://maps.googleapis.com https://stats.wp.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ data:; frame-ancestors 'self'; block-all-mixed-content; form-action 'self'; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' https://secure.gravatar.com https://i2.wp.com https://pixel.wp.com https://ps.w.org https://support.brainstormforce.com/ data:; frame-src 'self' https://js.stripe.com/ https://www.google.com https://www.google.com/recaptcha/"
# Set secure cookies
Header always edit Set-Cookie "^(.*)$ $1;HttpOnly;Secure;SameSite=Strict"
# Set Keep Alive Header
Header set Connection "keep-alive"
# HTTP Strict Transport Security
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Permissions Policy
Header set Permissions-Policy "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), vr=(self), speaker=(self), ambient-light-sensor=(self), gyroscope=(self), microphone=(self)"

Chrome and Firefox do not seem to complain on desktop, but Safari returns an error on desktop/mobile and Chrome returns an error on mobile. I am open to the idea that I wrote something wrong in the custom headers but it's hard to understand why this would result in a protocol error.

The most likely explanation I have is Chrome and Firefox supports http/3 so that's what they get and OLS is generating something wrong for http/2, which is what Safari and mobile browsers are seeing.

 

[David]

There should not be a "Connection" header for Http/2, please remove it and test again.

 

[gilles]

Oh thanks, will try that.

 

[gilles]

That was it. That's what I get for doing too much copy/paste. Thank you for the quick reply. Very much appreciated.

I see the header is prohibited in HTTP/2. Is it useful for HTTP/1.1? And if so, is there a way to define protocol-specific headers in OLS?

 

[David]

If I am you, I will remove it since now, most https are Http/2 or Http/3.

 

[gilles]

Thanks for the advice, that makes sense.