Home » Php » php – Server removes custom HTTP header fields

php – Server removes custom HTTP header fields

Posted by: admin July 12, 2020 Leave a comment

Questions:

I’ve been trying to receive HTTP requests with custom fields in the headers but it seems like my server removes them…

This is the request that I am sending to the server (I read that request with a HTTP Proxy) :

POST /oauth.php/request_token HTTP/1.1
Host: domain.com
User-Agent: DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
Authorization: OAuth realm="", oauth_consumer_key="ebb942f0d260b06cb533c6133c28408004d343197", oauth_signature_method="HMAC-SHA1", oauth_signature="qPBFAa8XRRbor2%2F%2FQXv6kU3%2F7jU%3D", oauth_timestamp="1295278460", oauth_nonce="E7D6AC76-74CE-4951-8182-7EBF9B382E7E", oauth_version="1.0"
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Content-Length: 0
Connection: keep-alive
Proxy-Connection: keep-alive

I printed the headers of the request when I arrive on my page.php. I see that :

uri http://domain.com/oauth.php/request_token
parameters 
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Connection : keep-alive
.... Host : domain.com
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST

when I should be seeing that (it is working on a local version)

uri http://localhost:8888/oauth.php/request_token
parameters 
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Authorization : OAuth realm="", oauth_consumer_key="582d95bd45d455fa2e5819f88fc0c5a104d2c7ff3", oauth_signature_method="HMAC-SHA1", oauth_signature="agPSFdtlGxXv2sbrz3pRjHlROOE%3D", oauth_timestamp="1295272680", oauth_nonce="667A133C-5071-48AB-9F13-8146425E46B7", oauth_version="1.0"
.... Connection : keep-alive
.... Content-Length : 0
.... Host : localhost:8888
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST

I am using php 5.2.17 on the server.

Do you have any idea to help me fix that issue?

Thanks!

How to&Answers:

Apache strips the Authentication header because it’s a security risk, when used with CGI. Are you using PHP through CGI?

I think PHP also strips Authentication in some circumstances. Again, there’s a risk that exposing it to scripts will allow one users’ code to sniff other users’ on the same server (e.g., if Alice and Bob both have accounts).

Answer:

Actually, there is a pretty easy fix. The fault lays with fastcgi. You can just provide an .htaccess file with a rewrite rule to save the header.

<IfModule mod_rewrite.c>

...

# Pass Authorization headers to an environment variable
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

</IfModule>

Credit goes here: https://drupal.org/node/1365168

They also talk about an even simpler solution to let these headers pass through, if you are using a virtual host.

Answer:

Please include the actual names of the headers that are being cut. This question is useless in its present form, forcing us to guess…

Have you checked with Firebug/HTTPFox that your browser’s actually sending those headers? Unless you’ve specifically configured the server to clean up the headers, it’s going to pass-through any custom ones as-is.

The Authorization header, which is where the OAuth data gets sent, would ONLY be sent by a client in response to a server-side 401 “authorization required” request. If you haven’t added the server-side “must have password to get in” configuration, the client’s not going to send auth info.