2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <modulesynopsis metafile="mod_headers.xml.meta">
25 <name>mod_headers</name>
26 <description>Customization of HTTP request and response
28 <status>Extension</status>
29 <sourcefile>mod_headers.c</sourcefile>
30 <identifier>headers_module</identifier>
33 <p>This module provides directives to control and modify HTTP
34 request and response headers. Headers can be merged, replaced
38 <section id="order"><title>Order of Processing</title>
40 <p>The directives provided by <module>mod_headers</module> can
41 occur almost anywhere within the server configuration, and can be
42 limited in scope by enclosing them in <a
43 href="../sections.html">configuration sections</a>.</p>
45 <p>Order of processing is important and is affected both by the
46 order in the configuration file and by placement in <a
47 href="../sections.html#mergin">configuration sections</a>. These
48 two directives have a different effect if reversed:</p>
51 RequestHeader append MirrorID "mirror 12"<br />
52 RequestHeader unset MirrorID
55 <p>This way round, the <code>MirrorID</code> header is not set. If
56 reversed, the MirrorID header is set to "mirror 12".</p>
59 <section id="early"><title>Early and Late Processing</title>
60 <p><module>mod_headers</module> can be applied either early or late
61 in the request. The normal mode is late, when <em>Request</em> Headers are
62 set immediately before running the content generator and <em>Response</em>
63 Headers just as the response is sent down the wire. Always use
64 Late mode in an operational server.</p>
66 <p>Early mode is designed as a test/debugging aid for developers.
67 Directives defined using the <code>early</code> keyword are set
68 right at the beginning of processing the request. This means
69 they can be used to simulate different requests and set up test
70 cases, but it also means that headers may be changed at any time
71 by other modules before generating a Response.</p>
73 <p>Because early directives are processed before the request path's
74 configuration is traversed, early headers can only be set in a
75 main server or virtual host context. Early directives cannot depend
76 on a request path, so they will fail in contexts such as
77 <code><Directory></code> or <code><Location></code>.</p>
80 <section id="examples"><title>Examples</title>
84 Copy all request headers that begin with "TS" to the
93 Add a header, <code>MyHeader</code>, to the response including a
94 timestamp for when the request was received and how long it
95 took to begin serving the request. This header can be used by
96 the client to intuit load on the server or in isolating
97 bottlenecks between the client and the server.
100 Header set MyHeader "%D %t"
103 <p>results in this header being added to the response:</p>
106 MyHeader: D=3775428 t=991424704447256
114 Header set MyHeader "Hello Joe. It took %D microseconds \<br />
115 for Apache to serve this request."
118 <p>results in this header being added to the response:</p>
121 MyHeader: Hello Joe. It took D=3775428 microseconds for Apache
122 to serve this request.
127 Conditionally send <code>MyHeader</code> on the response if and
128 only if header <code>MyRequestHeader</code> is present on the request.
129 This is useful for constructing headers in response to some client
130 stimulus. Note that this example requires the services of the
131 <module>mod_setenvif</module> module.
134 SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader<br />
135 Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
138 <p>If the header <code>MyRequestHeader: myvalue</code> is present on
139 the HTTP request, the response will contain the following header:</p>
142 MyHeader: D=3775428 t=991424704447256 mytext
147 Enable DAV to work with Apache running HTTP through SSL hardware
148 (<a href="http://svn.haxx.se/users/archive-2006-03/0549.shtml">problem
149 description</a>) by replacing <var>https:</var> with
150 <var>http:</var> in the <var>Destination</var> header:
153 RequestHeader edit Destination ^https: http: early
158 Set the same header value under multiple non-exclusive conditions,
159 but do not duplicate the value in the final header.
160 If all of the following conditions applied to a request (i.e.,
161 if the <code>CGI</code>, <code>NO_CACHE</code> and
162 <code>NO_STORE</code> environment variables all existed for the
166 Header merge Cache-Control no-cache env=CGI<br />
167 Header merge Cache-Control no-cache env=NO_CACHE<br />
168 Header merge Cache-Control no-store env=NO_STORE
171 <p>then the response would contain the following header:</p>
174 Cache-Control: no-cache, no-store
177 <p>If <code>append</code> was used instead of <code>merge</code>,
178 then the response would contain the following header:</p>
181 Cache-Control: no-cache, no-cache, no-store
185 Set a test cookie if and only if the client didn't send us a cookie
187 Header set Set-Cookie testcookie !$req{Cookie}
194 <name>RequestHeader</name>
195 <description>Configure HTTP request headers</description>
196 <syntax>RequestHeader add|append|edit|edit*|merge|set|unset <var>header</var>
197 [<var>value</var>] [<var>replacement</var>] [early|env=[!]<var>variable</var>]</syntax>
198 <contextlist><context>server config</context><context>virtual host</context>
199 <context>directory</context><context>.htaccess</context></contextlist>
200 <override>FileInfo</override>
203 <p>This directive can replace, merge, change or remove HTTP request
204 headers. The header is modified just before the content handler
205 is run, allowing incoming headers to be modified. The action it
206 performs is determined by the first argument. This can be one
207 of the following values:</p>
211 <dt><code>add</code></dt>
212 <dd>The request header is added to the existing set of headers,
213 even if this header already exists. This can result in two
214 (or more) headers having the same name. This can lead to
215 unforeseen consequences, and in general <code>set</code>,
216 <code>append</code> or <code>merge</code> should be used instead.</dd>
218 <dt><code>append</code></dt>
219 <dd>The request header is appended to any existing header of the
220 same name. When a new value is merged onto an existing header
221 it is separated from the existing header with a comma. This
222 is the HTTP standard way of giving a header multiple
225 <dt><code>edit</code></dt>
226 <dt><code>edit*</code></dt>
227 <dd>If this request header exists, its value is transformed according
228 to a <glossary ref="regex">regular expression</glossary>
229 search-and-replace. The <var>value</var> argument is a <glossary
230 ref="regex">regular expression</glossary>, and the <var>replacement</var>
231 is a replacement string, which may contain backreferences.
232 The <code>edit</code> form will match and replace exactly once
233 in a header value, whereas the <code>edit*</code> form will replace
234 <em>every</em> instance of the search pattern if it appears more
237 <dt><code>merge</code></dt>
238 <dd>The response header is appended to any existing header of
239 the same name, unless the value to be appended already appears in the
240 existing header's comma-delimited list of values. When a new value is
241 merged onto an existing header it is separated from the existing header
242 with a comma. This is the HTTP standard way of giving a header multiple
243 values. Values are compared in a case sensitive manner, and after
244 all format specifiers have been processed. Values in double quotes
245 are considered different from otherwise identical unquoted values.</dd>
247 <dt><code>set</code></dt>
248 <dd>The request header is set, replacing any previous header
251 <dt><code>unset</code></dt>
252 <dd>The request header of this name is removed, if it exists. If
253 there are multiple headers of the same name, all will be removed.
254 <var>value</var> must be omitted.</dd>
257 <p>This argument is followed by a header name, which can
258 include the final colon, but it is not required. Case is
259 ignored. For <code>set</code>, <code>append</code>, <code>merge</code> and
260 <code>add</code> a <var>value</var> is given as the third argument. If a
261 <var>value</var> contains spaces, it should be surrounded by double
262 quotes. For <code>unset</code>, no <var>value</var> should be given.
263 <var>value</var> may be a character string, a string containing format
264 specifiers or a combination of both. The supported format specifiers
265 are the same as for the <directive module="mod_headers">Header</directive>,
266 please have a look there for details. For <code>edit</code> both
267 a <var>value</var> and a <var>replacement</var> are required, and are
268 a <glossary ref="regex">regular expression</glossary> and a
269 replacement string respectively.</p>
271 <p>The <directive>RequestHeader</directive> directive may be followed by
272 an additional argument, which may be any of:</p>
274 <dt><code>early</code></dt>
275 <dd>Specifies <a href="#early">early processing</a>.</dd>
276 <dt><code>env=[!]varname</code></dt>
277 <dd>The directive is applied if and only if the <a href="../env.html"
278 >environment variable</a> <code>varname</code> exists.
279 A <code>!</code> in front of <code>varname</code> reverses the test,
280 so the directive applies only if <code>varname</code> is unset.</dd>
281 <dt><code>expr</code></dt>
282 <dd>An string that matches neither of the above is parsed as an
283 expression. Details of expression syntax and evaluation are
284 currently best documented on the <module>mod_filter</module> page.</dd>
287 <p>Except in <a href="#early">early</a> mode, the
288 <directive>RequestHeader</directive> directive is processed
289 just before the request is run by its handler in the fixup phase.
290 This should allow headers generated by the browser, or by Apache
291 input filters to be overridden or modified.</p>
297 <description>Configure HTTP response headers</description>
298 <syntax>Header [<var>condition</var>] add|append|echo|edit|merge|set|unset
299 <var>header</var> [<var>value</var>] [early|env=[!]<var>variable</var>]</syntax>
300 <contextlist><context>server config</context><context>virtual host</context>
301 <context>directory</context><context>.htaccess</context></contextlist>
302 <override>FileInfo</override>
303 <compatibility>Default condition was temporarily changed to "always" in 2.3.9 and 2.3.10</compatibility>
306 <p>This directive can replace, merge or remove HTTP response
307 headers. The header is modified just after the content handler
308 and output filters are run, allowing outgoing headers to be
311 <p> The optional <var>condition</var> argument determines which internal
312 table of responses headers this directive will operate against. Other
313 components of the server may have stored their response headers in either
314 the table that corresponds to <code>onsuccess</code> or the table that
315 corresponds to <code>always</code>. "Always" in this context refers to
316 whether headers you add will be sent during both a successful and unsucessful
317 response, but if your action is a function of an existing header, you
318 will have to read on for further complications.</p>
320 <p> The default value of <code>onsuccess</code> may need to be changed to
321 <code>always</code> under the circumstances similar to those listed below.
322 Note also that repeating this directive with both conditions makes sense in
323 some scenarios because <code>always</code> is not a superset of
324 <code>onsuccess</code> with respect to existing headers:</p>
327 <li> You're adding a header to a non-success (non-2xx) response, such
328 as a redirect, in which case only the table corresponding to
329 <code>always</code> is used in the ultimate response.</li>
330 <li> You're modifying or removing a header generated by a CGI script,
331 in which case the CGI scripts are in the table corresponding to
332 <code>always</code> and not in the default table.</li>
333 <li> You're modifying or removing a header generated by some piece of
334 the server but that header is not being found by the default
335 <code>onsuccess</code> condition.</li>
338 <p>The action it performs is determined by the first
339 argument (second argument if a <var>condition</var> is specified).
340 This can be one of the following values:</p>
343 <dt><code>add</code></dt>
344 <dd>The response header is added to the existing set of headers,
345 even if this header already exists. This can result in two
346 (or more) headers having the same name. This can lead to
347 unforeseen consequences, and in general <code>set</code>,
348 <code>append</code> or <code>merge</code> should be used instead.</dd>
350 <dt><code>append</code></dt>
351 <dd>The response header is appended to any existing header of
352 the same name. When a new value is merged onto an existing
353 header it is separated from the existing header with a comma.
354 This is the HTTP standard way of giving a header multiple values.</dd>
356 <dt><code>echo</code></dt>
357 <dd>Request headers with this name are echoed back in the
358 response headers. <var>header</var> may be a
359 <glossary ref="regex">regular expression</glossary>.
360 <var>value</var> must be omitted.</dd>
362 <dt><code>edit</code></dt>
363 <dd>If this request header exists, its value is transformed according
364 to a <glossary ref="regex">regular expression</glossary>
365 search-and-replace. The <var>value</var> argument is a <glossary
366 ref="regex">regular expression</glossary>, and the <var>replacement</var>
367 is a replacement string, which may contain backreferences.</dd>
369 <dt><code>merge</code></dt>
370 <dd>The response header is appended to any existing header of
371 the same name, unless the value to be appended already appears in the
372 header's comma-delimited list of values. When a new value is merged onto
373 an existing header it is separated from the existing header with a comma.
374 This is the HTTP standard way of giving a header multiple values.
375 Values are compared in a case sensitive manner, and after
376 all format specifiers have been processed. Values in double quotes
377 are considered different from otherwise identical unquoted values.</dd>
379 <dt><code>set</code></dt>
380 <dd>The response header is set, replacing any previous header
381 with this name. The <var>value</var> may be a format string.</dd>
383 <dt><code>unset</code></dt>
384 <dd>The response header of this name is removed, if it exists.
385 If there are multiple headers of the same name, all will be
386 removed. <var>value</var> must be omitted.</dd>
389 <p>This argument is followed by a <var>header</var> name, which
390 can include the final colon, but it is not required. Case is
391 ignored for <code>set</code>, <code>append</code>, <code>merge</code>,
392 <code>add</code>, <code>unset</code> and <code>edit</code>.
393 The <var>header</var> name for <code>echo</code>
394 is case sensitive and may be a <glossary ref="regex">regular
395 expression</glossary>.</p>
397 <p>For <code>set</code>, <code>append</code>, <code>merge</code> and
398 <code>add</code> a <var>value</var> is specified as the next argument.
400 contains spaces, it should be surrounded by double quotes.
401 <var>value</var> may be a character string, a string containing format
402 specifiers or a combination of both. The following format specifiers
403 are supported in <var>value</var>:</p>
405 <table border="1" style="zebra">
406 <columnspec><column width=".25"/><column width=".75"/></columnspec>
407 <tr><th>Format</th><th>Description</th></tr>
408 <tr><td><code>%%</code></td>
409 <td>The percent sign</td></tr>
411 <tr><td><code>%t</code></td>
412 <td>The time the request was received in Universal Coordinated Time
413 since the epoch (Jan. 1, 1970) measured in microseconds. The value
414 is preceded by <code>t=</code>.</td></tr>
416 <tr><td><code>%D</code></td>
417 <td>The time from when the request was received to the time the
418 headers are sent on the wire. This is a measure of the duration
419 of the request. The value is preceded by <code>D=</code>.
420 The value is measured in microseconds.</td></tr>
422 <tr><td><code>%{VARNAME}e</code></td>
423 <td>The contents of the <a href="../env.html">environment
424 variable</a> <code>VARNAME</code>.</td></tr>
426 <tr><td><code>%{VARNAME}s</code></td>
427 <td>The contents of the <a href="mod_ssl.html#envvars">SSL environment
428 variable</a> <code>VARNAME</code>, if <module>mod_ssl</module> is enabled.</td></tr>
432 <note><title>Note</title>
433 <p>The <code>%s</code> format specifier is only available in
434 Apache 2.1 and later; it can be used instead of <code>%e</code>
435 to avoid the overhead of enabling <code>SSLOptions
436 +StdEnvVars</code>. If <code>SSLOptions +StdEnvVars</code> must
437 be enabled anyway for some other reason, <code>%e</code> will be
438 more efficient than <code>%s</code>.</p>
441 <p>For <code>edit</code> there is both a <var>value</var> argument
442 which is a <glossary ref="regex">regular expression</glossary>,
443 and an additional <var>replacement</var> string.</p>
445 <p>The <directive>Header</directive> directive may be followed by
446 an additional argument, which may be any of:</p>
448 <dt><code>early</code></dt>
449 <dd>Specifies <a href="#early">early processing</a>.</dd>
450 <dt><code>env=[!]varname</code></dt>
451 <dd>The directive is applied if and only if the <a href="../env.html"
452 >environment variable</a> <code>varname</code> exists.
453 A <code>!</code> in front of <code>varname</code> reverses the test,
454 so the directive applies only if <code>varname</code> is unset.</dd>
455 <dt><code>expr</code></dt>
456 <dd>An string that matches neither of the above is parsed as an
457 expression. Details of expression syntax and evaluation are
458 currently best documented on the <module>mod_filter</module> page.</dd>
461 <p>Except in <a href="#early">early</a> mode, the
462 <directive>Header</directive> directives are processed just
463 before the response is sent to the network. These means that it is
464 possible to set and/or override most headers, except for those headers
465 added by the HTTP header filter, such as Content-Type.</p>