How to override header set in Apache config with more specific header in a virtual host

Question

I have a header set in the main Apache (2.4.41 Ubuntu) config with a general CSP:

Header always set Content-Security-Policy "frame-ancestors 'self';"

I'm trying to override this for a specific website, in its virtual host:

<VirtualHost *:443>

        ServerName example.com

        DocumentRoot /var/www/example/app
        ServerAdmin [email protected]

        SSLEngine on
        SSLCertificateFile      /etc/apache2/ssl/certs/default.crt
        SSLCertificateKeyFile   /etc/apache2/ssl/private/default.key

        Header always set Content-Security-Policy "frame-ancestors https://example2.com https://example3.com;"

</VirtualHost>

The virtual host header is ignored though. The HTTP response still returns the original header from the Apache config.

---

As an alternative, I tested overriding the header via the PHP app itself, but it simply adds a second duplicate header and the original Apache one still prevails.

Content-Security-Policy: frame-ancestors 'self';
Content-Security-Policy: frame-ancestors https://example2.com https://example3.com;

Answer 1

Ah, I think I figured this out. I do:

Header set Content-Security-Policy "frame-ancestors 'none';"

in /etc/apache2/conf-enabled/security.conf (Apache on Ubuntu 18.04), and then in my virtual host do this:

Header unset Content-Security-Policy
Header always append Content-Security-Policy "frame-ancestors 'self' https://*.mydomain.com;"

This seems to work. My understanding is that this will remove any previously set Content-Security-Policy headers.