Modules |Directives |FAQ |Glossary |Sitemap
Apache HTTP Server Version 2.4
| Description: | Customization of HTTP request and responseheaders |
|---|---|
| Status: | Extension |
| Module Identifier: | headers_module |
| Source File: | mod_headers.c |
This module provides directives to control and modify HTTP request and response headers. Headers can be merged, replaced or removed.
The directives provided bymod_headers can occur almost anywhere within the server configuration, and can be limited in scope by enclosing them inconfiguration sections.
Order of processing is important and is affected both by the order in the configuration file and by placement inconfiguration sections. These two directives have a different effect if reversed:
RequestHeader append MirrorID "mirror 12"RequestHeader unset MirrorID
This way round, theMirrorID header is not set. If reversed, the MirrorID header is set to "mirror 12".
mod_headers can be applied either early or late in the request. The normal mode is late, whenRequest Headers are set immediately before running the content generator andResponse Headers just as the response is sent down the wire. Always use Late mode in an operational server.
Early mode is designed as a test/debugging aid for developers. Directives defined using theearly keyword are set right at the beginning of processing the request. This means they can be used to simulate different requests and set up test cases, but it also means that headers may be changed at any time by other modules before generating a Response.
Because early directives are processed before the request path's configuration is traversed, early headers can only be set in a main server or virtual host context. Early directives cannot depend on a request path, so they will fail in contexts such as<Directory> or<Location>.
Header echo ^TS
MyHeader, to the response including a timestamp for when the request was received and how long it took to begin serving the request. This header can be used by the client to intuit load on the server or in isolating bottlenecks between the client and the server.Header set MyHeader "%D %t"
results in this header being added to the response:
MyHeader: D=3775428 t=991424704447256
Header set MyHeader "Hello Joe. It took %D microseconds for Apache to serve this request."
results in this header being added to the response:
MyHeader: Hello Joe. It took D=3775428 microseconds for Apache to serve this request.
MyHeader on the response if and only if headerMyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of themod_setenvif module.SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeaderHeader set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
If the headerMyRequestHeader: myvalue is present on the HTTP request, the response will contain the following header:
MyHeader: D=3775428 t=991424704447256 mytext
RequestHeader edit Destination ^https: http: early
CGI,NO_CACHE andNO_STORE environment variables all existed for the request):Header merge Cache-Control no-cache env=CGIHeader merge Cache-Control no-cache env=NO_CACHEHeader merge Cache-Control no-store env=NO_STORE
then the response would contain the following header:
Cache-Control: no-cache, no-store
Ifappend was used instead ofmerge, then the response would contain the following header:
Cache-Control: no-cache, no-cache, no-store
Header set Set-Cookie testcookie "expr=-z %{req:Cookie}"Header append Cache-Control s-maxage=600 "expr=%{REQUEST_STATUS} == 200"| Description: | Configure HTTP response headers |
|---|---|
| Syntax: | Header [condition] add|append|echo|edit|edit*|merge|set|setifempty|unset|noteheader [[expr=]value [replacement][early|env=[!]varname|expr=expression]] |
| Context: | server config, virtual host, directory, .htaccess |
| Override: | FileInfo |
| Status: | Extension |
| Module: | mod_headers |
| Compatibility: | SetIfEmpty available in 2.4.7 and later, expr=valueavailable in 2.4.10 and later |
This directive can replace, merge or remove HTTP response headers. The header is modified just after the content handler and output filters are run, allowing outgoing headers to be modified.
The optionalcondition argument determines which internal table of responses headers this directive will operate against:onsuccess (default, can be omitted) oralways. The difference between the two lists is that the headers contained in the latter are added to the response even on error, and persisted across internal redirects (for example, ErrorDocument handlers). Note also that repeating this directive with both conditions makes sense in some scenarios becausealways is not a superset ofonsuccess with respect to existing headers:
always is used in the ultimate response.mod_proxy_fcgi, in which case the CGI scripts' headers are in the table corresponding toalways and not in the default table.onsuccess condition.This difference betweenonsuccess andalways is a feature that resulted as a consequence of how httpd internally stores headers for a HTTP response, since it does not offer any "normalized" single list of headers. The main problem that can arise if the following concept is not kept in mind while writing the configuration is that some HTTP responses might end up with the same header duplicated (confusing users or sometimes even HTTP clients). For example, suppose that you have a simple PHP proxy setup withmod_proxy_fcgi and your backend PHP scripts adds theX-Foo: bar header to each HTTP response. As described above,mod_proxy_fcgi uses thealways table to store headers, so a configuration like the following ends up in the wrong result, namely having the header duplicated with both values:
# X-Foo's value is set in the 'onsuccess' headers tableHeader set X-Foo: baz
To circumvent this limitation, there are some known configuration patterns that can help, like the following:
# 'onsuccess' can be omitted since it is the defaultHeader onsuccess unset X-FooHeader always set X-Foo "baz"
Separately from thecondition parameter described above, you can limit an action based on HTTP status codes for e.g. proxied or CGI requests. See the example that uses %{REQUEST_STATUS} in the section above.
The action it performs is determined by the first argument (second argument if acondition is specified). This can be one of the following values:
Please read the difference betweenalways andonsuccess headers list described above before start reading the actions list, since that important concept still applies. Each action, in fact, works as described but only on the target headers list.
addset,append ormerge should be used instead.appendechoeditedit*edit form will match and replace exactly once in a header value, whereas theedit* form will replaceevery instance of the search pattern if it appears more than once.mergesetsetifemptysetifempty is evaluated. It is safer to useset for this use case like in the following example:Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"unsetnoteThis argument is followed by aheader name, which can include the final colon, but it is not required. Case is ignored forset,append,merge,add,unset andedit. Theheader name forecho is case sensitive and may be aregular expression.
Forset,append,merge andadd avalue is specified as the next argument. Ifvalue contains spaces, it should be surrounded by double quotes.value may be a character string, a string containingmod_headers specific format specifiers (and character literals), or anap_expr expression prefixed withexpr=
The following format specifiers are supported invalue:
| Format | Description |
|---|---|
%% | The percent sign |
%t | The time the request was received in Universal Coordinated Time since the epoch (Jan. 1, 1970) measured in microseconds. The value is preceded byt=. |
%D | The time from when the request was received to the time the headers are sent on the wire. This is a measure of the duration of the request. The value is preceded byD=. The value is measured in microseconds. |
%l | The current load averages of the actual server itself. It is designed to expose the values obtained bygetloadavg() and this represents the current load average, the 5 minute average, and the 15 minute average. The value is preceded byl= with each average separated by/.Available in 2.4.4 and later. |
%i | The current idle percentage of httpd (0 to 100) based on available processes and threads. The value is preceded byi=.Available in 2.4.4 and later. |
%b | The current busy percentage of httpd (0 to 100) based on available processes and threads. The value is preceded byb=.Available in 2.4.4 and later. |
%{VARNAME}e | The contents of theenvironment variableVARNAME. |
%{VARNAME}s | The contents of theSSL environment variableVARNAME, ifmod_ssl is enabled. |
The%s format specifier is only available in Apache 2.1 and later; it can be used instead of%e to avoid the overhead of enablingSSLOptions +StdEnvVars. IfSSLOptions +StdEnvVars must be enabled anyway for some other reason,%e will be more efficient than%s.
When the value parameter uses theap_expr parser, some expression syntax will differ from examples that evaluateboolean expressions such as <If>:
Header set foo-checksum "expr=%{md5:foo}"Foredit there is both avalue argument which is aregular expression, and an additionalreplacement string. As of version 2.4.7 the replacement string may also contain format specifiers.
TheHeader directive may be followed by an additional argument, which may be any of:
earlyenv=[!]varnamevarname exists. A! in front ofvarname reverses the test, so the directive applies only ifvarname is unset.expr=expression# This delays the evaluation of the condition clause compared to <If>Header always set CustomHeader my-value "expr=%{REQUEST_URI} =~ m#^/special_path.php$#"Except inearly mode, theHeader directives are processed just before the response is sent to the network. This means that it is possible to set and/or override most headers, except for some headers added by the HTTP header filter. Prior to 2.2.12, it was not possible to change the Content-Type header with this directive.
| Description: | Configure HTTP request headers |
|---|---|
| Syntax: | RequestHeader add|append|edit|edit*|merge|set|setifempty|unsetheader [[expr=]value [replacement][early|env=[!]varname|expr=expression]] |
| Context: | server config, virtual host, directory, .htaccess |
| Override: | FileInfo |
| Status: | Extension |
| Module: | mod_headers |
| Compatibility: | SetIfEmpty available in 2.4.7 and later, expr=valueavailable in 2.4.10 and later |
This directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified. The action it performs is determined by the first argument. This can be one of the following values:
addset,append ormerge should be used instead.appendeditedit*edit form will match and replace exactly once in a header value, whereas theedit* form will replaceevery instance of the search pattern if it appears more than once.mergesetsetifemptyunsetThis argument is followed by a header name, which can include the final colon, but it is not required. Case is ignored. Forset,append,merge andadd avalue is given as the third argument. If avalue contains spaces, it should be surrounded by double quotes. Forunset, novalue should be given.value may be a character string, a string containing format specifiers or a combination of both. The supported format specifiers are the same as for theHeader, please have a look there for details. Foredit both avalue and areplacement are required, and are aregular expression and a replacement string respectively.
TheRequestHeader directive may be followed by an additional argument, which may be any of:
earlyenv=[!]varnamevarname exists. A! in front ofvarname reverses the test, so the directive applies only ifvarname is unset.expr=expressionExcept inearly mode, theRequestHeader directive is processed just before the request is run by its handler in the fixup phase. This should allow headers generated by the browser, or by Apache input filters to be overridden or modified.
Copyright 2025 The Apache Software Foundation.
Licensed under theApache License, Version 2.0.