Apache Module mod_headers

Description:	Customization of HTTP request and response headers
Status:	Extension
Module Identifier:	headers_module
Source File:	mod_headers.c
Compatibility:	`RequestHeader` is available only in Apache 2.0

Summary

This module provides directives to control and modify HTTP request and response headers. Headers can be merged, replaced or removed.

Topics

Order of Processing
Early and Late Processing
Examples

Order of Processing

The directives provided by mod_headers can occur almost anywhere within the server configuration, and can be limited in scope by enclosing them in configuration sections.

Order of processing is important and is affected both by the order in the configuration file and by placement in configuration sections. These two headers have a different effect if reversed:

RequestHeader append MirrorID "mirror 12" RequestHeader unset MirrorID

This way round, the MirrorID header is not set. If reversed, the MirrorID header is set to "mirror 12".

mod_headers can be applied either early or late in the request. The normal mode is late, when Request Headers are set immediately before running the content generator and Response Headers just as the response is sent down the wire. Always use Late mode in an operational server.

Early mode is designed as a test/debugging aid for developers. Directives defined using the early keyword are set right at the beginning of processing the request. This means they can be used to simulate different requests and set up test cases, but it also means that headers may be changed at any time by other modules before generating a Response.

Because early directives are processed before the request path's configuration is traversed, early headers can only be set in a main server or virtual host context. Early directives cannot depend on a request path, so they will fail in contexts such as <Directory> or <Location>.

Examples

Copy all request headers that begin with "TS" to the response headers:
Header echo ^TS
Add a header, MyHeader, to the response including a timestamp for when the request was received and how long it took to begin serving the request. This header can be used by the client to intuit load on the server or in isolating bottlenecks between the client and the server.
Header set MyHeader "%D %t"

results in this header being added to the response:

MyHeader: D=3775428 t=991424704447256
Say hello to Joe
Header set MyHeader "Hello Joe. It took %D microseconds \ for Apache to serve this request."

results in this header being added to the response:

MyHeader: Hello Joe. It took D=3775428 microseconds for Apache to serve this request.
Conditionally send MyHeader on the response if and only if header MyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of the mod_setenvif module.
SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader

If the header MyRequestHeader: myvalue is present on the HTTP request, the response will contain the following header:

MyHeader: D=3775428 t=991424704447256 mytext
Enable DAV to work with Apache running HTTP through SSL hardware (problem description) by replacing https: with http: in the Destination header:
RequestHeader edit Destination ^https: http: early

Header Directive

Description:	Configure HTTP response headers
Syntax:	`Header [condition] set\|setifempty\|append\|add\|unset\|unset\|echo\|edit\|edit header [value] [early\|env=[!]variable]`
Context:	server config, virtual host, directory, .htaccess
Override:	FileInfo
Status:	Extension
Module:	mod_headers
Compatibility:	SetIfEmpty added in IBM HTTP Server 7.0.0.29, 8.0.0.6, 8.5.0.2 and later. 'edit*' added in 7.0.0.35, 8.0.0.10, and 8.5.5.4

This directive can replace, merge or remove HTTP response headers. The header is modified just after the content handler and output filters are run, allowing outgoing headers to be modified.

The optional condition argument determines which internal table of responses headers this directive will operate against. Despite the name, the default value of onsuccess does not limit an action to responses with a 2xx status code. Headers set under this condition are still used when, for example, a request is successfully proxied or generated by CGI, even when they have generated a failing status code.

When your action is a function of an existing header, you may need to specify a condition of always, depending on which internal table the original header was set in. The table that corresponds to always is used for locally generated error responses as well as successful responses. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:

You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.
You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always and not in the default table.
You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.

It is not currently possible to limit an action to a range of HTTP status codes, if the responses are successfully handled by e.g. CGI or proxy modules.

The action it performs is determined by the second argument. This can be one of the following values:

set: The response header is set, replacing any previous header with this name. The value may be a format string.
SetIfEmpty (IBM HTTP Server 7.0.0.29, 8.0.0.6, 8.5.0.2 and later): The response header is set, if and only if no previous header with this name exists. The value may be a format string.
append: The response header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
Do not append to the Set-Cookie header.
add: The response header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set or append should be used instead.
unset: The response header of this name is removed, if it exists. If there are multiple headers of the same name, all will be removed. value must be omitted.
unset* (IBM HTTP Server 8.5.5.16 and later): Any response header that matches the regular expression provided in header is removed. value must be omitted.
echo: Request headers with this name are echoed back in the response headers. header may be a regular expression. value must be omitted.
edit*
edit: If this response header exists, its value is transformed according to a regular expression search-and-replace. The value argument is a regular expression, and the replacement is a replacement string, which may contain backreferences. The edit form will match and replace exactly once in a header value, whereas the edit* form will replace every instance of the search pattern if it appears more than once.

This argument is followed by a header name, which can include the final colon, but it is not required. Case is ignored for set, append, add, unset, and edit. The header name for echo and unset* is case sensitive and may be a regular expression.

For set, append and add a value is specified as the third argument. If value contains spaces, it should be surrounded by double quotes. value may be a character string, a string containing format specifiers or a combination of both. The following format specifiers are supported in value:

Format	Description
`%%`	The percent sign
`%t`	The time the request was received in Universal Coordinated Time since the epoch (Jan. 1, 1970) measured in microseconds. The value is preceded by `t=`.
`%D`	The time from when the request was received to the time the headers are sent on the wire. This is a measure of the duration of the request. The value is preceded by `D=`.
`%{FOOBAR}e`	The contents of the environment variable `FOOBAR`.
`%{FOOBAR}s`	The contents of the SSL environment variable `FOOBAR`, if `mod_ssl` is enabled.

Note

The %s format specifier is only available in Apache 2.1 and later; it can be used instead of %e to avoid the overhead of enabling SSLOptions +StdEnvVars. If SSLOptions +StdEnvVars must be enabled anyway for some other reason, %e will be more efficient than %s.

For edit there is both a value argument which is a regular expression, and an additional replacement string.

The Header directive may be followed by an an additional argument, which may be used to specify conditions under which the action will be taken, or may be the keyword early to specify early processing. If the environment variable specified in the env=... argument exists (or if the environment variable does not exist and env=!... is specified) then the action specified by the Header directive will take effect. Otherwise, the directive will have no effect on the request.

Except in early mode, the Header directives are processed just before the response is sent to the network. These means that it is possible to set and/or override most headers, except for those headers added by the header filter.

After PH20970, early mode may be used at the same time as an env= check, by prefixing the environment variable name with "early;" such as "early;env=some-var". Note that when these two options are used together, the environment variable is checked extremely early during request processing. See the "--early" option on SetEnvIf for a way to set or manipulate environment variables that will be set even earlier.

RequestHeader Directive

Description:	Configure HTTP request headers
Syntax:	`RequestHeader set\|setifempty\|append\|add\|unset\|unset\|edit\|edit header [value] [replacement] [early\|env=[!]variable]`
Context:	server config, virtual host, directory, .htaccess
Override:	FileInfo
Status:	Extension
Module:	mod_headers
Compatibility:	SetIfEmpty added in IBM HTTP Server 7.0.0.29, 8.0.0.6, 8.5.0.2 and later. 'edit*' added in 7.0.0.35, 8.0.0.10, and 8.5.5.4

This directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified. The action it performs is determined by the first argument. This can be one of the following values:

set: The request header is set, replacing any previous header with this name
SetIfEmpty (IBM HTTP Server 7.0.0.29, 8.0.0.6, 8.5.0.2 and later): The request header is set, if and only if no request header with this name exists. The value may be a format string.
append: The request header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
add: The request header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set or append should be used instead.
unset: The request header of this name is removed, if it exists. If there are multiple headers of the same name, all will be removed. value must be omitted.
unset* (IBM HTTP Server 8.5.5.16 and later): Any request header that matches the regular expression provided in header is removed. value must be omitted.
edit
edit*: If this request header exists, its value is transformed according to a regular expression search-and-replace. The value argument is a regular expression, and the replacement is a replacement string, which may contain backreferences. The edit form will match and replace exactly once in a header value, whereas the edit* form will replace every instance of the search pattern if it appears more than once.

This argument is followed by a header name, which can include the final colon, but it is not required. Case is ignored. For set, append and add a value is given as the third argument. If a value contains spaces, it should be surrounded by double quotes. For unset and unset*, no value should be given. value may be a character string, a string containing format specifiers or a combination of both. The supported format specifiers are the same as for the Header, please have a look there for details. For edit both a value and a replacement are required, and are a regular expression and a replacement string respectively.

The RequestHeader directive may be followed by an additional argument, which may be used to specify conditions under which the action will be taken, or may be the keyword early to specify early processing. If the environment variable specified in the env=... argument exists (or if the environment variable does not exist and env=!... is specified) then the action specified by the RequestHeader directive will take effect. Otherwise, the directive will have no effect on the request.

Except in early mode, the RequestHeader directive is processed just before the request is run by its handler in the fixup phase. This should allow headers generated by the browser, or by Apache input filters to be overridden or modified.