Home » Php » Fetching custom Authorization header from incoming PHP request

Fetching custom Authorization header from incoming PHP request

Posted by: admin April 23, 2020 Leave a comment


So I’m trying to parse an incoming request in PHP which has the following header set:

Authorization: Custom Username

Simple question: how on earth do I get my hands on it? If it was Authorization: Basic, I could get the username from $_SERVER["PHP_AUTH_USER"]. If it was X-Custom-Authorization: Username, I could get the username from $_SERVER["HTTP_X_CUSTOM_AUTHORIZATION"]. But neither of these are set by a custom Authorization, var_dump($_SERVER) reveals no mention of the header (in particular, AUTH_TYPE is missing), and PHP5 functions like get_headers() only work on responses to outgoing requests. I’m running PHP 5 on Apache with an out-of-the box Ubuntu install.

How to&Answers:

If you’re only going to use Apache you might want to have a look at apache_request_headers().


For token based auth:

  $token = null;
  $headers = apache_request_headers();
    $matches = array();
    preg_match('/Token token="(.*)"/', $headers['Authorization'], $matches);
      $token = $matches[1];


Add this code into your .htaccess

RewriteEngine On
RewriteRule .* - [e=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Pass your header like Authorization: {auth_code} and finally you get the Authorization code by using $_SERVER['HTTP_AUTHORIZATION']


For background, why Apache filters away the Authorization header: https://stackoverflow.com/a/17490827

Solutions depending on which Apache module is used to pass the request to the application:

mod_wsgi, mod_fcgid:


Other hacks – massaging the headers in this question:


Juste use:

$headers = apache_request_headers();
$token = $headers['token'];