Why security scans sometimes report duplicate response headers
Understanding 103 Early Hints and how Framer sends headers over HTTP/2 and HTTP/3
If a security scan, penetration test, or browser debugging tool reports that your Framer site is returning duplicate HTTP response headers (for example, Strict-Transport-Security or X-Content-Type-Options appearing twice), this is almost always a false positive. Framer does not send duplicate response headers. The apparent duplication is a side effect of how some tools display responses that use a modern HTTP feature called 103 Early Hints.
How Framer uses 103 Early Hints
Framer sites are served over HTTP/2 and HTTP/3, which allow a server to send an informational response before the final response is ready. On page navigations, Framer takes advantage of this by sending a 103 Early Hints response first, followed by the final 200 OK response once the page is assembled.
Early Hints is a performance feature. It lets the browser start preloading critical resources, such as fonts, scripts, and stylesheets, while the server is still preparing the main response. This reduces the time your visitors wait before a page becomes interactive.
Both the 103 and 200 responses can include their own set of headers, and some headers, including common security headers, legitimately appear in both phases. This is expected behavior defined by the HTTP specification.
Why some tools show the headers as duplicates
Browsers handle the two response phases correctly: they use the Early Hints response only to start preloading, then apply the headers from the final 200 OK as the authoritative response. Your visitors are never exposed to duplicated or conflicting headers.
Some tools, however, flatten both phases into a single list when they display a response. This includes security tools like Burp Suite, which is commonly used by penetration testers. When both phases are merged, any header that appears in both the 103 and the 200 response looks like it was sent twice, even though it was sent correctly as part of two separate responses.
This is a presentation issue in the tool, not an issue with the response itself. Your site’s security headers are not duplicated or misconfigured, and no change is needed on your end.
How to verify the response yourself
You can inspect both response phases directly with curl. A simple request only shows the final response, so its headers appear exactly once:
A request using the sec-fetch-mode header reveals both the 103 Early Hints response and the final 200 OK, each with its own headers:
Reviewing the output this way makes it clear that each header is sent once per response phase, not twice within the same response.
What to do if this is flagged in a report
If a penetration test, compliance scan, or internal security review flags your Framer site for duplicate headers, you can share this article with the reviewer. Early Hints is an automatic part of how Framer delivers fast, modern sites and cannot be disabled. Because the final 200 OK response is correct and browsers honor it as expected, the finding can safely be treated as a false positive.
Updated