Spring Security Duplicate Security Headers

Summary

When default security headers are added using HttpSecurity.headers(), some headers are added twice when async request is used.

Actual Behavior

The X-Content-Type-Options header appears twice,

    HTTP/1.1 200
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Transfer-Encoding: chunked
    Date: Fri, 06 Sep 2019 20:04:03 GMT

Expected Behavior

No duplicate headers.

Configuration

It only happens with async request when payload is larger than buffer (16K).

Version

org.springframework.security:spring-security-web:5.1.6.RELEASE

Sample

This is a minimal test that reproduces the problem,

https://github.com/zzcoder/header-test

Comment From: eleftherias

Closing as a duplicate of #4211. This issue is fixed in all currently supported versions of Spring Security.