Home » Php » apache – Authorization header missing in PHP POST request

apache – Authorization header missing in PHP POST request

Posted by: admin April 23, 2020 Leave a comment


I’m currently trying to read the authorization header in a PHP script that I’m calling with a POST request. The Authorization header is populated with a token. It seems the Authorization header is somehow removed before it arrives at my PHP script. I’m executing the post request with Postman (Chrome addon) and I enabled CORS in my PHP script. I don’t have access to the apache server directly.

HTTP Request:

Authorization:Bearer mytoken
 User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)       
 Chrome/38.0.2125.104 Safari/537.36

PHP script:

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: Authorization, Origin, X-Requested-With, Content-Type,      Accept");
header("Content-Type: application/json");

$headers = getallheaders();
echo $headers['Authorization'];

The above script outputs ” (= nothing).

How to&Answers:

After quite some time a found a solution to this problem. Somehow the Authorization header was stripped away and by adding the following lines in my .htaccess I was able to get it to work.

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]


I had first to add this to my machines Apache config file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

On Linux in /etc/apache2/apache2.conf

On Mac using Homebrew in /usr/local/etc/httpd/httpd.conf

On Mac with “native” Apache: /private/etc/apache2/httpd.conf
or: /etc/apache2/httpd.conf

Adding this to .htaccess didn’t work for any reason:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]


Below array holds request headers, that may be missing in $_SERVER variable

$headers = apache_request_headers();

(Especially true for ‘HTTP_X_REQUESTED_WITH’ ajax header, which will be found this way as:


I don’t know why my php 5.4.45 running on NGINX was refusing any custom header containing underscores:

CURLOPT_HTTPHEADER => array(‘Authorization: 123456’)

CURLOPT_HTTPHEADER => array(‘my_Authorization: 123456’)

I hope it can help someone. Cheers


This solution (mentioned above) worked for me after tricking httpd.conf file:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

To make this work, httpd.conf had to include these directives in my Alias section:

AllowOverride All
Options FollowSymLinks

The first one is too open (yes, I know), but .htaccess is totally avoided if you put AllowOverride None.

Also, RewriteRule is avoided too is you don’t use FollowSymLinks or so (based in Apache docs)