skip to content

Apache Request and Response Headers

 Tweet Share0 Tweets

Most users don't realise that while browsing the WWW there is a constant conversation going on between the browser and the web server. Below you can see the specific Headers that were passed from your browser to our webserver and back when this page was requested.

Apache Request Headers

The following headers were sent by your browser when requesting this page. The Host and Cookie details will change for different websites, and the Referer depending on where you're come from, but otherwise every site/page you visit will receive this information from your browser:

HeaderValue
Hostwww.the-art-of-web.com
Accept-Encodingx-gzip, gzip, deflate
User-AgentCCBot/2.0 (commoncrawl.org/faq/)
Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Output produced by the PHP function apache_request_headers.

Apache Response Headers

Our Apache server generated the following HTTP headers in response to your request for this page:

HeaderValue
Last-ModifiedSun, 07 Aug 2016 08:02:22 GMT
ExpiresThu, 19 Nov 1981 08:52:00 GMT
Cache-Controlno-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragmano-cache
Set-CookieChirp%5CSecureToken=20shes1lfbe06p6qbivrfd6a96; path=/
Content-typetext/html; charset=UTF-8

Output produced by the PHP function headers_list.

But after the initial response, more headers can be added, or modified, by services such as PHP. For this page the following paints a fuller picture:

HeaderValue
HTTP/1.1 200 OK
DateSun, 17 Dec 2017 21:27:47 GMT
ServerApache/2.4
X-Content-Type-Optionsnosniff
X-Frame-Optionssameorigin
X-XSS-Protection1; mode=block
Cache-Controlmax-age=0, no-cache
Content-Typetext/html; charset=UTF-8

Output produced using a cURL HEAD request.

Getting the full picture

The best way to get a full picture of the response headers is to make an HTTP GET request from outside the server. A great tool for this is REDbot which tells us the following headers were sent:

HeaderValue
HTTP/1.1 200 OK
DateSun, 16 Dec 2012 10:52:48 GMT
ServerApache/2.2.16
X-Mod-Pagespeedenabled
VaryAccept-Encoding
Content-Encodinggzip
Cache-Controlmax-age=0, no-cache
Content-Length3718
Keep-Alivetimeout=15, max=100
ConnectionKeep-Alive
Content-Typetext/html; charset=UTF-8

You can see from the above the version of Apache that we're using, that we're using ModPagespeed and mod_compress to serve gzip'ed content. Most other software and version details have been, and should be, suppressed for security reasons.

Removing server details

Apache

In Apache2 on Debian the relevant settings can be found in /etc/apache2/conf.d/security:

Setting ServerTokens to 'Prod' instead of 'Minimal' will display just 'Apache' and no version number.

ModPagespeed

In /etc/apache/mods-available/pagespeed.conf you can supress the version number by substituting other text, for example:

References

< System

Send a message to The Art of Web:


used only for us to reply, and to display your gravatar.

<- copy the digits from the image into this box

press <Esc> or click outside this box to close

User Comments

Post your comment or question

5 August, 2016

I saw in your page how you were able to display the msisdn of my phone. When I tried retrieving same from php code, I could not get the code to display the msisdn . Please what is the php code that enables one to display the msisdn from the header information?

The code we're using on the page is very simple - something like this:

<table>
<?PHP
$arr = apache_request_headers();
foreach($arr as $key => $val) {
echo "<tr>";
echo "<td>",htmlspecialchars($key),"</td>";
echo "<td>",htmlspecialchars($val),"</td>";
echo "</tr>\n";
}
?>
</table>

27 September, 2008

Actually your Apache did not send what your page says, but rather sent headers spilling the beans about the patchlevel of your OpenSSL install.

Thanks for the reminder. That information is added after the page has been generated, and has been suppressed now using a ServerTokens directive

top