2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <modulesynopsis metafile="mod_headers.xml.meta">
25 <name>mod_headers</name>
26 <description>Customization of HTTP request and response
28 <status>Extension</status>
29 <sourcefile>mod_headers.c</sourcefile>
30 <identifier>headers_module</identifier>
33 <p>This module provides directives to control and modify HTTP
34 request and response headers. Headers can be merged, replaced
38 <section id="order"><title>Order of Processing</title>
40 <p>The directives provided by <module>mod_headers</module> can
41 occur almost anywhere within the server configuration, and can be
42 limited in scope by enclosing them in <a
43 href="../sections.html">configuration sections</a>.</p>
45 <p>Order of processing is important and is affected both by the
46 order in the configuration file and by placement in <a
47 href="../sections.html#mergin">configuration sections</a>. These
48 two directives have a different effect if reversed:</p>
50 <highlight language="config">
51 RequestHeader append MirrorID "mirror 12"
52 RequestHeader unset MirrorID
55 <p>This way round, the <code>MirrorID</code> header is not set. If
56 reversed, the MirrorID header is set to "mirror 12".</p>
59 <section id="early"><title>Early and Late Processing</title>
60 <p><module>mod_headers</module> can be applied either early or late
61 in the request. The normal mode is late, when <em>Request</em> Headers are
62 set immediately before running the content generator and <em>Response</em>
63 Headers just as the response is sent down the wire. Always use
64 Late mode in an operational server.</p>
66 <p>Early mode is designed as a test/debugging aid for developers.
67 Directives defined using the <code>early</code> keyword are set
68 right at the beginning of processing the request. This means
69 they can be used to simulate different requests and set up test
70 cases, but it also means that headers may be changed at any time
71 by other modules before generating a Response.</p>
73 <p>Because early directives are processed before the request path's
74 configuration is traversed, early headers can only be set in a
75 main server or virtual host context. Early directives cannot depend
76 on a request path, so they will fail in contexts such as
77 <directive type="section" module="core">Directory</directive> or
78 <directive type="section" module="core">Location</directive>.</p>
81 <section id="examples"><title>Examples</title>
85 Copy all request headers that begin with "TS" to the
88 <highlight language="config">
94 Add a header, <code>MyHeader</code>, to the response including a
95 timestamp for when the request was received and how long it
96 took to begin serving the request. This header can be used by
97 the client to intuit load on the server or in isolating
98 bottlenecks between the client and the server.
100 <highlight language="config">
101 Header set MyHeader "%D %t"
104 <p>results in this header being added to the response:</p>
107 MyHeader: D=3775428 t=991424704447256
114 <highlight language="config">
115 Header set MyHeader "Hello Joe. It took %D microseconds for Apache to serve this request."
118 <p>results in this header being added to the response:</p>
121 MyHeader: Hello Joe. It took D=3775428 microseconds for Apache
122 to serve this request.
127 Conditionally send <code>MyHeader</code> on the response if and
128 only if header <code>MyRequestHeader</code> is present on the request.
129 This is useful for constructing headers in response to some client
130 stimulus. Note that this example requires the services of the
131 <module>mod_setenvif</module> module.
133 <highlight language="config">
134 SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader
135 Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
138 <p>If the header <code>MyRequestHeader: myvalue</code> is present on
139 the HTTP request, the response will contain the following header:</p>
142 MyHeader: D=3775428 t=991424704447256 mytext
147 Enable DAV to work with Apache running HTTP through SSL hardware
148 (<a href="http://svn.haxx.se/users/archive-2006-03/0549.shtml">problem
149 description</a>) by replacing <var>https:</var> with
150 <var>http:</var> in the <var>Destination</var> header:
152 <highlight language="config">
153 RequestHeader edit Destination ^https: http: early
158 Set the same header value under multiple nonexclusive conditions,
159 but do not duplicate the value in the final header.
160 If all of the following conditions applied to a request (i.e.,
161 if the <code>CGI</code>, <code>NO_CACHE</code> and
162 <code>NO_STORE</code> environment variables all existed for the
165 <highlight language="config">
166 Header merge Cache-Control no-cache env=CGI
167 Header merge Cache-Control no-cache env=NO_CACHE
168 Header merge Cache-Control no-store env=NO_STORE
171 <p>then the response would contain the following header:</p>
174 Cache-Control: no-cache, no-store
177 <p>If <code>append</code> was used instead of <code>merge</code>,
178 then the response would contain the following header:</p>
181 Cache-Control: no-cache, no-cache, no-store
185 Set a test cookie if and only if the client didn't send us a cookie
186 <highlight language="config">
187 Header set Set-Cookie testcookie "expr=-z %{req:Cookie}"
191 Append a Caching header for responses with a HTTP status code of 200
192 <highlight language="config">
193 Header append Cache-Control s-maxage=600 "expr=%{REQUEST_STATUS} == 200"
201 <name>RequestHeader</name>
202 <description>Configure HTTP request headers</description>
203 <syntax>RequestHeader add|append|edit|edit*|merge|set|setifempty|unset
204 <var>header</var> [[expr=]<var>value</var> [<var>replacement</var>]
205 [early|env=[!]<var>varname</var>|expr=<var>expression</var>]]
207 <contextlist><context>server config</context><context>virtual host</context>
208 <context>directory</context><context>.htaccess</context></contextlist>
209 <override>FileInfo</override>
210 <compatibility>SetIfEmpty available in 2.4.7 and later, expr=value
211 available in 2.4.10 and later</compatibility>
214 <p>This directive can replace, merge, change or remove HTTP request
215 headers. The header is modified just before the content handler
216 is run, allowing incoming headers to be modified. The action it
217 performs is determined by the first argument. This can be one
218 of the following values:</p>
222 <dt><code>add</code></dt>
223 <dd>The request header is added to the existing set of headers,
224 even if this header already exists. This can result in two
225 (or more) headers having the same name. This can lead to
226 unforeseen consequences, and in general <code>set</code>,
227 <code>append</code> or <code>merge</code> should be used instead.</dd>
229 <dt><code>append</code></dt>
230 <dd>The request header is appended to any existing header of the
231 same name. When a new value is merged onto an existing header
232 it is separated from the existing header with a comma. This
233 is the HTTP standard way of giving a header multiple
236 <dt><code>edit</code></dt>
237 <dt><code>edit*</code></dt>
238 <dd>If this request header exists, its value is transformed according
239 to a <glossary ref="regex">regular expression</glossary>
240 search-and-replace. The <var>value</var> argument is a <glossary
241 ref="regex">regular expression</glossary>, and the <var>replacement</var>
242 is a replacement string, which may contain backreferences or format specifiers.
243 The <code>edit</code> form will match and replace exactly once
244 in a header value, whereas the <code>edit*</code> form will replace
245 <em>every</em> instance of the search pattern if it appears more
248 <dt><code>merge</code></dt>
249 <dd>The request header is appended to any existing header of
250 the same name, unless the value to be appended already appears in the
251 existing header's comma-delimited list of values. When a new value is
252 merged onto an existing header it is separated from the existing header
253 with a comma. This is the HTTP standard way of giving a header multiple
254 values. Values are compared in a case sensitive manner, and after
255 all format specifiers have been processed. Values in double quotes
256 are considered different from otherwise identical unquoted values.</dd>
258 <dt><code>set</code></dt>
259 <dd>The request header is set, replacing any previous header
262 <dt><code>setifempty</code></dt>
263 <dd>The request header is set, but only if there is no previous header
264 with this name.<br />
265 Available in 2.4.7 and later.</dd>
267 <dt><code>unset</code></dt>
268 <dd>The request header of this name is removed, if it exists. If
269 there are multiple headers of the same name, all will be removed.
270 <var>value</var> must be omitted.</dd>
273 <p>This argument is followed by a header name, which can
274 include the final colon, but it is not required. Case is
275 ignored. For <code>set</code>, <code>append</code>, <code>merge</code> and
276 <code>add</code> a <var>value</var> is given as the third argument. If a
277 <var>value</var> contains spaces, it should be surrounded by double
278 quotes. For <code>unset</code>, no <var>value</var> should be given.
279 <var>value</var> may be a character string, a string containing format
280 specifiers or a combination of both. The supported format specifiers
281 are the same as for the <directive module="mod_headers">Header</directive>,
282 please have a look there for details. For <code>edit</code> both
283 a <var>value</var> and a <var>replacement</var> are required, and are
284 a <glossary ref="regex">regular expression</glossary> and a
285 replacement string respectively.</p>
287 <p>The <directive>RequestHeader</directive> directive may be followed by
288 an additional argument, which may be any of:</p>
290 <dt><code>early</code></dt>
291 <dd>Specifies <a href="#early">early processing</a>.</dd>
292 <dt><code>env=[!]<var>varname</var></code></dt>
293 <dd>The directive is applied if and only if the <a href="../env.html"
294 >environment variable</a> <code>varname</code> exists.
295 A <code>!</code> in front of <code>varname</code> reverses the test,
296 so the directive applies only if <code>varname</code> is unset.</dd>
297 <dt><code>expr=<var>expression</var></code></dt>
298 <dd>The directive is applied if and only if <var>expression</var>
299 evaluates to true. Details of expression syntax and evaluation are
300 documented in the <a href="../expr.html">ap_expr</a> documentation.</dd>
303 <p>Except in <a href="#early">early</a> mode, the
304 <directive>RequestHeader</directive> directive is processed
305 just before the request is run by its handler in the fixup phase.
306 This should allow headers generated by the browser, or by Apache
307 input filters to be overridden or modified.</p>
313 <description>Configure HTTP response headers</description>
314 <syntax>Header [<var>condition</var>] add|append|echo|edit|edit*|merge|set|setifempty|unset|note
315 <var>header</var> [[expr=]<var>value</var> [<var>replacement</var>]
316 [early|env=[!]<var>varname</var>|expr=<var>expression</var>]]
318 <contextlist><context>server config</context><context>virtual host</context>
319 <context>directory</context><context>.htaccess</context></contextlist>
320 <override>FileInfo</override>
321 <compatibility>SetIfEmpty available in 2.4.7 and later, expr=value
322 available in 2.4.10 and later</compatibility>
325 <p>This directive can replace, merge or remove HTTP response
326 headers. The header is modified just after the content handler
327 and output filters are run, allowing outgoing headers to be
330 <p> The optional <var>condition</var> argument determines which internal
331 table of responses headers this directive will operate against:
332 <code>onsuccess</code> (default, can be omitted) or <code>always</code>.
333 The difference between the two lists is that the headers contained in the
334 latter are added to the response even on error, and persisted across
335 internal redirects (for example, ErrorDocument handlers).
337 Note also that repeating this directive with both conditions makes sense in
338 some scenarios because <code>always</code> is not a superset of
339 <code>onsuccess</code> with respect to existing headers:</p>
342 <li> You're adding a header to a locally generated non-success (non-2xx) response, such
343 as a redirect, in which case only the table corresponding to
344 <code>always</code> is used in the ultimate response.</li>
345 <li> You're modifying or removing a header generated by a CGI script
346 or by <module>mod_proxy_fcgi</module>,
347 in which case the CGI scripts' headers are in the table corresponding to
348 <code>always</code> and not in the default table.</li>
349 <li> You're modifying or removing a header generated by some piece of
350 the server but that header is not being found by the default
351 <code>onsuccess</code> condition.</li>
354 <p>This difference between <code>onsuccess</code> and <code>always</code> is
355 a feature that resulted as a consequence of how httpd internally stores
356 headers for a HTTP response, since it does not offer any "normalized" single
357 list of headers. The main problem that can arise if the following concept
358 is not kept in mind while writing the configuration is that some HTTP responses
359 might end up with the same header duplicated (confusing users or sometimes even
360 HTTP clients). For example, suppose that you have a simple PHP proxy setup with
361 <module>mod_proxy_fcgi</module> and your backend PHP scripts adds the
362 <code>X-Foo: bar</code> header to each HTTP response. As described above,
363 <module>mod_proxy_fcgi</module> uses the <code>always</code> table to store
364 headers, so a configuration like the following ends up in the wrong result, namely
365 having the header duplicated with both values:</p>
367 <highlight language="config">
368 # X-Foo's value is set in the 'onsuccess' headers table
369 Header set X-Foo: baz
372 <p>To circumvent this limitation, there are some known configuration
373 patterns that can help, like the following:</p>
375 <highlight language="config">
376 # 'onsuccess' can be omitted since it is the default
377 Header onsuccess unset X-Foo
378 Header always set X-Foo "baz"
381 <p>Separately from the <var>condition</var> parameter described above, you
382 can limit an action based on HTTP status codes for e.g. proxied or CGI
383 requests. See the example that uses %{REQUEST_STATUS} in the section above.</p>
385 <p>The action it performs is determined by the first
386 argument (second argument if a <var>condition</var> is specified).
387 This can be one of the following values:</p>
389 <note type="warning"><title>Warning</title>
390 <p>Please read the difference between <code>always</code>
391 and <code>onsuccess</code> headers list described above
392 before start reading the actions list, since that important
393 concept still applies. Each action, in fact, works as described
394 but only on the target headers list.</p>
398 <dt><code>add</code></dt>
399 <dd>The response header is added to the existing set of headers,
400 even if this header already exists. This can result in two
401 (or more) headers having the same name. This can lead to
402 unforeseen consequences, and in general <code>set</code>,
403 <code>append</code> or <code>merge</code> should be used instead.</dd>
405 <dt><code>append</code></dt>
406 <dd>The response header is appended to any existing header of
407 the same name. When a new value is merged onto an existing
408 header it is separated from the existing header with a comma.
409 This is the HTTP standard way of giving a header multiple values.</dd>
411 <dt><code>echo</code></dt>
412 <dd>Request headers with this name are echoed back in the
413 response headers. <var>header</var> may be a
414 <glossary ref="regex">regular expression</glossary>.
415 <var>value</var> must be omitted.</dd>
417 <dt><code>edit</code></dt>
418 <dt><code>edit*</code></dt>
419 <dd>If this response header exists, its value is transformed according
420 to a <glossary ref="regex">regular expression</glossary>
421 search-and-replace. The <var>value</var> argument is a <glossary
422 ref="regex">regular expression</glossary>, and the <var>replacement</var>
423 is a replacement string, which may contain backreferences or format specifiers.
424 The <code>edit</code> form will match and replace exactly once
425 in a header value, whereas the <code>edit*</code> form will replace
426 <em>every</em> instance of the search pattern if it appears more
429 <dt><code>merge</code></dt>
430 <dd>The response header is appended to any existing header of
431 the same name, unless the value to be appended already appears in the
432 header's comma-delimited list of values. When a new value is merged onto
433 an existing header it is separated from the existing header with a comma.
434 This is the HTTP standard way of giving a header multiple values.
435 Values are compared in a case sensitive manner, and after
436 all format specifiers have been processed. Values in double quotes
437 are considered different from otherwise identical unquoted values.</dd>
439 <dt><code>set</code></dt>
440 <dd>The response header is set, replacing any previous header
441 with this name. The <var>value</var> may be a format string.</dd>
443 <dt><code>setifempty</code></dt>
444 <dd>The request header is set, but only if there is no previous header
447 The Content-Type header is a special use case since there might be
448 the chance that its value have been determined but the header is not part
449 of the response when <code>setifempty</code> is evaluated.
450 It is safer to use <code>set</code> for this use case like in the
452 <highlight language="config">
453 Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"
457 <dt><code>unset</code></dt>
458 <dd>The response header of this name is removed, if it exists.
459 If there are multiple headers of the same name, all will be
460 removed. <var>value</var> must be omitted.</dd>
462 <dt><code>note</code></dt>
463 <dd>The value of the named response <var>header</var> is copied into an
464 internal note whose name is given by <var>value</var>. This is useful
465 if a header sent by a CGI or proxied resource is configured to be unset
466 but should also be logged.<br />
467 Available in 2.4.7 and later.</dd>
471 <p>This argument is followed by a <var>header</var> name, which
472 can include the final colon, but it is not required. Case is
473 ignored for <code>set</code>, <code>append</code>, <code>merge</code>,
474 <code>add</code>, <code>unset</code> and <code>edit</code>.
475 The <var>header</var> name for <code>echo</code>
476 is case sensitive and may be a <glossary ref="regex">regular
477 expression</glossary>.</p>
479 <p>For <code>set</code>, <code>append</code>, <code>merge</code> and
480 <code>add</code> a <var>value</var> is specified as the next argument.
482 contains spaces, it should be surrounded by double quotes.
483 <var>value</var> may be a character string, a string containing
484 <module>mod_headers</module> specific format specifiers (and character
485 literals), or an <a href="../expr.html">ap_expr</a> expression prefixed
486 with <em>expr=</em></p>
488 <p> The following format specifiers are supported in <var>value</var>:</p>
490 <table border="1" style="zebra">
491 <columnspec><column width=".25"/><column width=".75"/></columnspec>
492 <tr><th>Format</th><th>Description</th></tr>
493 <tr><td><code>%%</code></td>
494 <td>The percent sign</td></tr>
496 <tr><td><code>%t</code></td>
497 <td>The time the request was received in Universal Coordinated Time
498 since the epoch (Jan. 1, 1970) measured in microseconds. The value
499 is preceded by <code>t=</code>.</td></tr>
501 <tr><td><code>%D</code></td>
502 <td>The time from when the request was received to the time the
503 headers are sent on the wire. This is a measure of the duration
504 of the request. The value is preceded by <code>D=</code>.
505 The value is measured in microseconds.</td></tr>
507 <tr><td><code>%l</code></td>
508 <td>The current load averages of the actual server itself. It is
509 designed to expose the values obtained by <code>getloadavg()</code>
510 and this represents the current load average, the 5 minute average, and
511 the 15 minute average. The value is preceded by <code>l=</code> with each
512 average separated by <code>/</code>.<br />
513 Available in 2.4.4 and later.
516 <tr><td><code>%i</code></td>
517 <td>The current idle percentage of httpd (0 to 100) based on available
518 processes and threads. The value is preceded by <code>i=</code>.<br />
519 Available in 2.4.4 and later.
522 <tr><td><code>%b</code></td>
523 <td>The current busy percentage of httpd (0 to 100) based on available
524 processes and threads. The value is preceded by <code>b=</code>.<br />
525 Available in 2.4.4 and later.
528 <tr><td><code>%{VARNAME}e</code></td>
529 <td>The contents of the <a href="../env.html">environment
530 variable</a> <code>VARNAME</code>.</td></tr>
532 <tr><td><code>%{VARNAME}s</code></td>
533 <td>The contents of the <a href="mod_ssl.html#envvars">SSL environment
534 variable</a> <code>VARNAME</code>, if <module>mod_ssl</module> is enabled.</td></tr>
538 <note><title>Note</title>
539 <p>The <code>%s</code> format specifier is only available in
540 Apache 2.1 and later; it can be used instead of <code>%e</code>
541 to avoid the overhead of enabling <code>SSLOptions
542 +StdEnvVars</code>. If <code>SSLOptions +StdEnvVars</code> must
543 be enabled anyway for some other reason, <code>%e</code> will be
544 more efficient than <code>%s</code>.</p>
547 <note><title>Note on expression values</title>
548 <p> When the value parameter uses the <a href="../expr.html">ap_expr</a>
549 parser, some expression syntax will differ from examples that evaluate
550 <em>boolean</em> expressions such as <If>:</p>
552 <li>The starting point of the grammar is 'string' rather than 'expr'.</li>
553 <li>Function calls use the %{funcname:arg} syntax rather than
555 <li>Multi-argument functions are not currently accessible from this
557 <li>Quote the entire parameter, such as
558 <highlight language="config">
559 Header set foo-checksum "expr=%{md5:foo}"
566 <p>For <code>edit</code> there is both a <var>value</var> argument
567 which is a <glossary ref="regex">regular expression</glossary>,
568 and an additional <var>replacement</var> string. As of version 2.4.7
569 the replacement string may also contain format specifiers.</p>
571 <p>The <directive>Header</directive> directive may be followed by
572 an additional argument, which may be any of:</p>
574 <dt><code>early</code></dt>
575 <dd>Specifies <a href="#early">early processing</a>.</dd>
576 <dt><code>env=[!]<var>varname</var></code></dt>
577 <dd>The directive is applied if and only if the <a href="../env.html"
578 >environment variable</a> <code>varname</code> exists.
579 A <code>!</code> in front of <code>varname</code> reverses the test,
580 so the directive applies only if <code>varname</code> is unset.</dd>
581 <dt><code>expr=<var>expression</var></code></dt>
582 <dd>The directive is applied if and only if <var>expression</var>
583 evaluates to true. Details of expression syntax and evaluation are
584 documented in the <a href="../expr.html">ap_expr</a> documentation.
585 <highlight language="config">
586 # This delays the evaluation of the condition clause compared to <If>
587 Header always set CustomHeader my-value "expr=%{REQUEST_URI} =~ m#^/special_path.php$#"
592 <p>Except in <a href="#early">early</a> mode, the
593 <directive>Header</directive> directives are processed just
594 before the response is sent to the network. This means that it is
595 possible to set and/or override most headers, except for some headers
596 added by the HTTP header filter. Prior to 2.2.12, it was not possible
597 to change the Content-Type header with this directive.</p>