Apache Request and Response Headers
Most users don't realise that while browsing the WWW there is a constant conversation going on between the browser and the web server. Below you can see the specific Headers that were passed from your browser to our webserver and back when this page was requested.
Apache Request Headers
The following headers were sent by your browser when requesting this page. The Host and Cookie details will change for different websites, and the Referer depending on where you're come from, but otherwise every site/page you visit will receive this information from your browser:
Header | Value |
---|---|
accept | */* |
user-agent | Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +) |
accept-encoding | gzip, br, zstd, deflate |
referer | www.the-art-of-web.com/system/apache-headers |
host | www.the-art-of-web.com |
Output produced by the PHP function apache_request_headers.
Apache Response Headers
Our Apache server generated the following HTTP headers in response to your request for this page:
Header | Value |
---|---|
Last-Modified | Fri, 10 Mar 2023 09:27:35 GMT |
Content-type | text/html; charset=UTF-8 |
Output produced by the PHP function headers_list.
But after the initial response, more headers can be added, or modified, by services such as PHP. For this page the following paints a fuller picture:
Header | Value |
---|---|
HTTP/1.1 200 OK | |
Date | Thu, 21 Nov 2024 10:26:31 GMT |
Server | Apache/2.4 |
Vary | User-Agent,Accept-Encoding |
X-Mod-Pagespeed | enabled |
X-Content-Type-Options | nosniff |
X-Frame-Options | sameorigin |
X-XSS-Protection | 1; mode=block |
Cache-Control | max-age=0, no-cache |
Content-Type | text/html; charset=UTF-8 |
Output produced using a cURL HEAD request.
Getting the full picture
The best way to get a full picture of the response headers is to make an HTTP GET request from outside the server. A great tool for this is REDbot which tells us the following headers were sent:
Header | Value |
---|---|
HTTP/1.1 200 OK | |
Date | Sun, 16 Dec 2012 10:52:48 GMT |
Server | Apache/2.2.16 |
X-Mod-Pagespeed | enabled |
Vary | Accept-Encoding |
Content-Encoding | gzip |
Cache-Control | max-age=0, no-cache |
Content-Length | 3718 |
Keep-Alive | timeout=15, max=100 |
Connection | Keep-Alive |
Content-Type | text/html; charset=UTF-8 |
You can see from the above the version of Apache that we're using, that we're using ModPagespeed and mod_compress to serve gzip'ed content. Most other software and version details have been, and should be, suppressed for security reasons.
Removing server details
Apache
In Apache2 on Debian the relevant settings can be found in /etc/apache2/conf.d/security:
- ServerTokens Minimal
- ServerSignature Off
Setting ServerTokens to 'Prod' instead of 'Minimal' will display just 'Apache' and no version number.
ModPagespeed
In /etc/apache/mods-available/pagespeed.conf you can supress the version number by substituting other text, for example:
- ModPagespeedXHeaderValue "enabled"
References
- PHP.net: apache_request_headers
- PHP.net: apache_response_headers
Idongesit Akpan 5 August, 2016
I saw in your page how you were able to display the msisdn of my phone. When I tried retrieving same from php code, I could not get the code to display the msisdn . Please what is the php code that enables one to display the msisdn from the header information?
The code we're using on the page is very simple - something like this:
<table>
<?PHP
$arr = apache_request_headers();
foreach($arr as $key => $val) {
echo "<tr>";
echo "<td>",htmlspecialchars($key),"</td>";
echo "<td>",htmlspecialchars($val),"</td>";
echo "</tr>\n";
}
?>
</table>
Bernhard Schulte 27 September, 2008
Actually your Apache did not send what your page says, but rather sent headers spilling the beans about the patchlevel of your OpenSSL install.
Thanks for the reminder. That information is added after the page has been generated, and has been suppressed now using a ServerTokens directive