Duplicate Cache-Control header in Spring Boot application

Question

We have a Spring Boot application that runs in Openshift where we configure the Cache-Control header like this:

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().cacheControl().disable().addHeaderWriter((httpServletRequest, httpServletResponse) -> {
            httpServletResponse.setHeader(HttpHeaders.CACHE_CONTROL, "public, max-age=86400");
        });
    }
}

In the HTTP responses there are two Cache-Control headers:

$ curl --header https://<our-url> --head
HTTP/1.1 200 Connection established

HTTP/1.1 200
...
Cache-Control: public, max-age=86400
...
Cache-control: private

We expect the first header, and we have no idea where the second header comes from. (Note the lowercase c in the name of the second header.)

Any ideas where the second header comes from and how we can get rid of it?

Answer 1

I found the answer: The Cache-control header is added by HAProxy. HAProxy uses this header and a cookie to create sticky sessions (i.e. to make sure that requests from the same client are handled by the same pod).

See this question for details.

In short, you can disable this behaviour by

oc annotate route <myroute> haproxy.router.openshift.io/disable_cookies='true'