Incompatible with IntegerNet_SansecWatch

[norgeindian]

We were just facing a strange issue.
We switched from manually including a CSP whitelist to the module IntegerNet_SansecWatch, which dynamically updates the headers based on the given settings in the Sansec panel.
It seems, that both modules are not compatible.
At least, we got the error: Unable to set the CSP header. The header size of 8211 bytes exceeds the maximum size of 8190 bytes.
We had the exact same CSP whitelist included before in a module, and there it worked.

[norgeindian]

Debugged that further, and it seems, that it was only a caching issue.
At least it seems to work as expected, when I debug it locally.

[norgeindian]

No, sorry, have to open it again :-)
Was not able to reproduce the issue locally, but on our testing system it can directly be reproduced.
As soon as I activate in Sansec too many policies, so that the header is too big, and update the policies, apache directly gives up.
The question now is, on which side would we need to trigger something to fix it.
IntegerNet_SansecWatch flushes or invalidates the FPC.
I tried both, but that does not fix it.
Does anyone have an idea, what I could try to fix this issue?

[lsiebels]

Hi @norgeindian, thanks for reporting the problem.

It seems to me that the problem is related to the issue #5. Please try to lower the threshold as described in the issue.

[norgeindian]

@lsiebels , we first tried that as well, but that did not help.
In the end, we found out, that apache puts the split headers together again, at least in specific configurations.
That seems to be not that bad and apache can live with that, but as Varnish also has a header limit of 8k, this failed.
So we had to reduce the threshold and increase the header limit in Varnish to solve it.
Hope, that helps others as well.

@lsiebels, what do you think of the idea, putting the default threshold of the module directly lower to make sure, that #5 does not happen for others?