mod_headers.xml revision e4cfb943c9bfdf1ccc92822b79898168314bf434
<?xml version="1.0"?>
<!-- $LastChangedRevision$ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<modulesynopsis metafile="mod_headers.xml.meta">
<name>mod_headers</name>
<description>Customization of HTTP request and response
headers</description>
<status>Extension</status>
<identifier>headers_module</identifier>
<summary>
<p>This module provides directives to control and modify HTTP
request and response headers. Headers can be merged, replaced
or removed.</p>
</summary>
<section id="order"><title>Order of Processing</title>
<p>The directives provided by <module>mod_headers</module> can
occur almost anywhere within the server configuration, and can be
limited in scope by enclosing them in <a
<p>Order of processing is important and is affected both by the
order in the configuration file and by placement in <a
href="/sections.html#mergin">configuration sections</a>. These
two directives have a different effect if reversed:</p>
<example>
RequestHeader append MirrorID "mirror 12"<br />
RequestHeader unset MirrorID
</example>
<p>This way round, the <code>MirrorID</code> header is not set. If
reversed, the MirrorID header is set to "mirror 12".</p>
</section>
<section id="early"><title>Early and Late Processing</title>
<p><module>mod_headers</module> can be applied either early or late
in the request. The normal mode is late, when <em>Request</em> Headers are
set immediately before running the content generator and <em>Response</em>
Headers just as the response is sent down the wire. Always use
Late mode in an operational server.</p>
Directives defined using the <code>early</code> keyword are set
right at the beginning of processing the request. This means
they can be used to simulate different requests and set up test
cases, but it also means that headers may be changed at any time
by other modules before generating a Response.</p>
<p>Because early directives are processed before the request path's
configuration is traversed, early headers can only be set in a
main server or virtual host context. Early directives cannot depend
on a request path, so they will fail in contexts such as
<code><Directory></code> or <code><Location></code>.</p>
</section>
<section id="examples"><title>Examples</title>
<ol>
<li>
Copy all request headers that begin with "TS" to the
response headers:
<example>
Header echo ^TS
</example>
</li>
<li>
Add a header, <code>MyHeader</code>, to the response including a
timestamp for when the request was received and how long it
took to begin serving the request. This header can be used by
the client to intuit load on the server or in isolating
bottlenecks between the client and the server.
<example>
Header set MyHeader "%D %t"
</example>
<p>results in this header being added to the response:</p>
<example>
MyHeader: D=3775428 t=991424704447256
</example>
</li>
<li>
Say hello to Joe
<example>
Header set MyHeader "Hello Joe. It took %D microseconds \<br />
for Apache to serve this request."
</example>
<p>results in this header being added to the response:</p>
<example>
MyHeader: Hello Joe. It took D=3775428 microseconds for Apache
to serve this request.
</example>
</li>
<li>
Conditionally send <code>MyHeader</code> on the response if and
only if header <code>MyRequestHeader</code> is present on the request.
This is useful for constructing headers in response to some client
stimulus. Note that this example requires the services of the
<module>mod_setenvif</module> module.
<example>
SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader<br />
Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
</example>
<p>If the header <code>MyRequestHeader: myvalue</code> is present on
the HTTP request, the response will contain the following header:</p>
<example>
MyHeader: D=3775428 t=991424704447256 mytext
</example>
</li>
<li>
Enable DAV to work with Apache running HTTP through SSL hardware
(<a href="http://svn.haxx.se/users/archive-2006-03/0549.shtml">problem
description</a>) by replacing <var>https:</var> with
<var>http:</var> in the <var>Destination</var> header:
<example>
RequestHeader edit Destination ^https: http: early
</example>
</li>
<li>
Set the same header value under multiple non-exclusive conditions,
but do not duplicate the value in the final header.
If all of the following conditions applied to a request (i.e.,
if the <code>CGI</code>, <code>NO_CACHE</code> and
<code>NO_STORE</code> environment variables all existed for the
request):
<example>
Header merge Cache-Control no-cache env=CGI<br />
Header merge Cache-Control no-cache env=NO_CACHE<br />
Header merge Cache-Control no-store env=NO_STORE
</example>
<p>then the response would contain the following header:</p>
<example>
Cache-Control: no-cache, no-store
</example>
<p>If <code>append</code> was used instead of <code>merge</code>,
then the response would contain the following header:</p>
<example>
Cache-Control: no-cache, no-cache, no-store
</example>
</li>
<li>
Set a test cookie if and only if the client didn't send us a cookie
<example>
Header set Set-Cookie testcookie !$req{Cookie}
</example>
</li>
</ol>
</section>
<directivesynopsis>
<name>RequestHeader</name>
<description>Configure HTTP request headers</description>
<syntax>RequestHeader add|append|edit|edit*|merge|set|unset <var>header</var>
[<var>value</var>] [<var>replacement</var>] [early|env=[!]<var>variable</var>]</syntax>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context><context>.htaccess</context></contextlist>
<override>FileInfo</override>
<usage>
<p>This directive can replace, merge, change or remove HTTP request
headers. The header is modified just before the content handler
is run, allowing incoming headers to be modified. The action it
performs is determined by the first argument. This can be one
of the following values:</p>
<dl>
<dt><code>add</code></dt>
<dd>The request header is added to the existing set of headers,
even if this header already exists. This can result in two
(or more) headers having the same name. This can lead to
unforeseen consequences, and in general <code>set</code>,
<code>append</code> or <code>merge</code> should be used instead.</dd>
<dt><code>append</code></dt>
<dd>The request header is appended to any existing header of the
same name. When a new value is merged onto an existing header
it is separated from the existing header with a comma. This
is the HTTP standard way of giving a header multiple
values.</dd>
<dt><code>edit</code></dt>
<dt><code>edit*</code></dt>
<dd>If this request header exists, its value is transformed according
to a <glossary ref="regex">regular expression</glossary>
search-and-replace. The <var>value</var> argument is a <glossary
ref="regex">regular expression</glossary>, and the <var>replacement</var>
is a replacement string, which may contain backreferences.
The <code>edit</code> form will match and replace exactly once
in a header value, whereas the <code>edit*</code> form will replace
<em>every</em> instance of the search pattern if it appears more
than once.</dd>
<dt><code>merge</code></dt>
<dd>The response header is appended to any existing header of
the same name, unless the value to be appended already appears in the
existing header's comma-delimited list of values. When a new value is
merged onto an existing header it is separated from the existing header
with a comma. This is the HTTP standard way of giving a header multiple
values. Values are compared in a case sensitive manner, and after
all format specifiers have been processed. Values in double quotes
are considered different from otherwise identical unquoted values.</dd>
<dt><code>set</code></dt>
<dd>The request header is set, replacing any previous header
with this name</dd>
<dt><code>unset</code></dt>
<dd>The request header of this name is removed, if it exists. If
there are multiple headers of the same name, all will be removed.
<var>value</var> must be omitted.</dd>
</dl>
<p>This argument is followed by a header name, which can
include the final colon, but it is not required. Case is
ignored. For <code>set</code>, <code>append</code>, <code>merge</code> and
<code>add</code> a <var>value</var> is given as the third argument. If a
<var>value</var> contains spaces, it should be surrounded by double
quotes. For <code>unset</code>, no <var>value</var> should be given.
<var>value</var> may be a character string, a string containing format
specifiers or a combination of both. The supported format specifiers
are the same as for the <directive module="mod_headers">Header</directive>,
please have a look there for details. For <code>edit</code> both
a <var>value</var> and a <var>replacement</var> are required, and are
a <glossary ref="regex">regular expression</glossary> and a
replacement string respectively.</p>
<p>The <directive>RequestHeader</directive> directive may be followed by
an additional argument, which may be any of:</p>
<dl>
<dt><code>early</code></dt>
<dd>Specifies <a href="#early">early processing</a>.</dd>
<dt><code>env=[!]varname</code></dt>
>environment variable</a> <code>varname</code> exists.
A <code>!</code> in front of <code>varname</code> reverses the test,
so the directive applies only if <code>varname</code> is unset.</dd>
<dt><code>expr</code></dt>
<dd>An string that matches neither of the above is parsed as an
expression. Details of expression syntax and evaluation are
currently best documented on the <module>mod_filter</module> page.</dd>
</dl>
<p>Except in <a href="#early">early</a> mode, the
<directive>RequestHeader</directive> directive is processed
just before the request is run by its handler in the fixup phase.
This should allow headers generated by the browser, or by Apache
input filters to be overridden or modified.</p>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>Header</name>
<description>Configure HTTP response headers</description>
<syntax>Header [<var>condition</var>] add|append|echo|edit|merge|set|unset
<var>header</var> [<var>value</var>] [early|env=[!]<var>variable</var>]</syntax>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context><context>.htaccess</context></contextlist>
<override>FileInfo</override>
<usage>
<p>This directive can replace, merge or remove HTTP response
headers. The header is modified just after the content handler
and output filters are run, allowing outgoing headers to be
modified.</p>
<p> The optional <var>condition</var> argument determines which internal
table of responses headers this directive will operate against. Other
components of the server may have stored their response headers in either
the table that corresponds to <code>onsuccess</code> or the table that
corresponds to <code>always</code>. "Always" in this context refers to
whether headers you add will be sent during both a successful and unsucessful
response, but if your action is a function of an existing header, you
will have to read on for further complications.</p>
<p> The default value of <code>onsuccess</code> may need to be changed to
<code>always</code> under the circumstances similar to those listed below
Note also that repeating this directive with both conditions makes sense in
some scenarios because <code>always</code> is not a superset of
<code>onsuccess</code> with respect to existing headers:</p>
<ul>
<li> You're adding a header to a non-success (non-2xx) response, such
as a redirect, in which case only the table corresponding to
<code>always</code> is used in the ultimate response.</li>
<li> You're modifying or removing a header generated by a CGI script,
in which case the CGI scripts are in the table corresponding to
<code>always</code> and not in the default table.</li>
<li> You're modifying or removing a header generated by some piece of
the server but that header is not being found by the default
<code>onsuccess</code> condition.</li>
</ul>
<p>The action it performs is determined by the first
argument (second argument if a <var>condition</var> is specified).
This can be one of the following values:</p>
<dl>
<dt><code>add</code></dt>
<dd>The response header is added to the existing set of headers,
even if this header already exists. This can result in two
(or more) headers having the same name. This can lead to
unforeseen consequences, and in general <code>set</code>,
<code>append</code> or <code>merge</code> should be used instead.</dd>
<dt><code>append</code></dt>
<dd>The response header is appended to any existing header of
the same name. When a new value is merged onto an existing
header it is separated from the existing header with a comma.
This is the HTTP standard way of giving a header multiple values.</dd>
<dt><code>echo</code></dt>
<dd>Request headers with this name are echoed back in the
response headers. <var>header</var> may be a
<glossary ref="regex">regular expression</glossary>.
<var>value</var> must be omitted.</dd>
<dt><code>edit</code></dt>
<dd>If this request header exists, its value is transformed according
to a <glossary ref="regex">regular expression</glossary>
search-and-replace. The <var>value</var> argument is a <glossary
ref="regex">regular expression</glossary>, and the <var>replacement</var>
is a replacement string, which may contain backreferences.</dd>
<dt><code>merge</code></dt>
<dd>The response header is appended to any existing header of
the same name, unless the value to be appended already appears in the
header's comma-delimited list of values. When a new value is merged onto
an existing header it is separated from the existing header with a comma.
This is the HTTP standard way of giving a header multiple values.
Values are compared in a case sensitive manner, and after
all format specifiers have been processed. Values in double quotes
are considered different from otherwise identical unquoted values.</dd>
<dt><code>set</code></dt>
<dd>The response header is set, replacing any previous header
with this name. The <var>value</var> may be a format string.</dd>
<dt><code>unset</code></dt>
<dd>The response header of this name is removed, if it exists.
If there are multiple headers of the same name, all will be
removed. <var>value</var> must be omitted.</dd>
</dl>
<p>This argument is followed by a <var>header</var> name, which
can include the final colon, but it is not required. Case is
ignored for <code>set</code>, <code>append</code>, <code>merge</code>,
<code>add</code>, <code>unset</code> and <code>edit</code>.
The <var>header</var> name for <code>echo</code>
is case sensitive and may be a <glossary ref="regex">regular
expression</glossary>.</p>
<p>For <code>set</code>, <code>append</code>, <code>merge</code> and
<code>add</code> a <var>value</var> is specified as the next argument.
If <var>value</var>
contains spaces, it should be surrounded by double quotes.
<var>value</var> may be a character string, a string containing format
specifiers or a combination of both. The following format specifiers
are supported in <var>value</var>:</p>
<table border="1" style="zebra">
<columnspec><column width=".25"/><column width=".75"/></columnspec>
<tr><th>Format</th><th>Description</th></tr>
<tr><td><code>%%</code></td>
<td>The percent sign</td></tr>
<tr><td><code>%t</code></td>
<td>The time the request was received in Universal Coordinated Time
since the epoch (Jan. 1, 1970) measured in microseconds. The value
is preceded by <code>t=</code>.</td></tr>
<tr><td><code>%D</code></td>
<td>The time from when the request was received to the time the
headers are sent on the wire. This is a measure of the duration
of the request. The value is preceded by <code>D=</code>.
The value is measured in microseconds.</td></tr>
<tr><td><code>%{VARNAME}e</code></td>
variable</a> <code>VARNAME</code>.</td></tr>
<tr><td><code>%{VARNAME}s</code></td>
variable</a> <code>VARNAME</code>, if <module>mod_ssl</module> is enabled.</td></tr>
</table>
<note><title>Note</title>
<p>The <code>%s</code> format specifier is only available in
Apache 2.1 and later; it can be used instead of <code>%e</code>
to avoid the overhead of enabling <code>SSLOptions
+StdEnvVars</code>. If <code>SSLOptions +StdEnvVars</code> must
be enabled anyway for some other reason, <code>%e</code> will be
more efficient than <code>%s</code>.</p>
</note>
<p>For <code>edit</code> there is both a <var>value</var> argument
which is a <glossary ref="regex">regular expression</glossary>,
and an additional <var>replacement</var> string.</p>
<p>The <directive>Header</directive> directive may be followed by
an additional argument, which may be any of:</p>
<dl>
<dt><code>early</code></dt>
<dd>Specifies <a href="#early">early processing</a>.</dd>
<dt><code>env=[!]varname</code></dt>
>environment variable</a> <code>varname</code> exists.
A <code>!</code> in front of <code>varname</code> reverses the test,
so the directive applies only if <code>varname</code> is unset.</dd>
<dt><code>expr</code></dt>
<dd>An string that matches neither of the above is parsed as an
expression. Details of expression syntax and evaluation are
currently best documented on the <module>mod_filter</module> page.</dd>
</dl>
<p>Except in <a href="#early">early</a> mode, the
<directive>Header</directive> directives are processed just
before the response is sent to the network. These means that it is
added by the HTTP header filter, such as Content-Type.</p>
</usage>
</directivesynopsis>
</modulesynopsis>