Home » Php » php – Server removes custom HTTP header fields

php – Server removes custom HTTP header fields

Posted by: admin July 12, 2020 Leave a comment


I’ve been trying to receive HTTP requests with custom fields in the headers but it seems like my server removes them…

This is the request that I am sending to the server (I read that request with a HTTP Proxy) :

POST /oauth.php/request_token HTTP/1.1
Host: domain.com
User-Agent: DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
Authorization: OAuth realm="", oauth_consumer_key="ebb942f0d260b06cb533c6133c28408004d343197", oauth_signature_method="HMAC-SHA1", oauth_signature="qPBFAa8XRRbor2%2F%2FQXv6kU3%2F7jU%3D", oauth_timestamp="1295278460", oauth_nonce="E7D6AC76-74CE-4951-8182-7EBF9B382E7E", oauth_version="1.0"
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Content-Length: 0
Connection: keep-alive
Proxy-Connection: keep-alive

I printed the headers of the request when I arrive on my page.php. I see that :

uri http://domain.com/oauth.php/request_token
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Connection : keep-alive
.... Host : domain.com
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST

when I should be seeing that (it is working on a local version)

uri http://localhost:8888/oauth.php/request_token
headers Array
.... Accept : */*
.... Accept-Encoding : gzip, deflate
.... Accept-Language : en-us
.... Authorization : OAuth realm="", oauth_consumer_key="582d95bd45d455fa2e5819f88fc0c5a104d2c7ff3", oauth_signature_method="HMAC-SHA1", oauth_signature="agPSFdtlGxXv2sbrz3pRjHlROOE%3D", oauth_timestamp="1295272680", oauth_nonce="667A133C-5071-48AB-9F13-8146425E46B7", oauth_version="1.0"
.... Connection : keep-alive
.... Content-Length : 0
.... Host : localhost:8888
.... User-Agent : DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0
method POST

I am using php 5.2.17 on the server.

Do you have any idea to help me fix that issue?


How to&Answers:

Apache strips the Authentication header because it’s a security risk, when used with CGI. Are you using PHP through CGI?

I think PHP also strips Authentication in some circumstances. Again, there’s a risk that exposing it to scripts will allow one users’ code to sniff other users’ on the same server (e.g., if Alice and Bob both have accounts).


Actually, there is a pretty easy fix. The fault lays with fastcgi. You can just provide an .htaccess file with a rewrite rule to save the header.

<IfModule mod_rewrite.c>


# Pass Authorization headers to an environment variable
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


Credit goes here: https://drupal.org/node/1365168

They also talk about an even simpler solution to let these headers pass through, if you are using a virtual host.


Please include the actual names of the headers that are being cut. This question is useless in its present form, forcing us to guess…

Have you checked with Firebug/HTTPFox that your browser’s actually sending those headers? Unless you’ve specifically configured the server to clean up the headers, it’s going to pass-through any custom ones as-is.

The Authorization header, which is where the OAuth data gets sent, would ONLY be sent by a client in response to a server-side 401 “authorization required” request. If you haven’t added the server-side “must have password to get in” configuration, the client’s not going to send auth info.