HTTP response headers convey essential metadata from server to client and influence behavior of web browsers, proxies, and other downstream services. They define characteristics such as caching instructions, content security policies, and the server’s identity. Administrators can manipulate these headers to control how resources are delivered and interpreted.
Altering default headers can harden security, optimize site performance, or fulfill specific compliance requirements. Adding a custom header such as Content-Security-Policy can mitigate threats like cross-site scripting, while customizing other directives can reduce information leakage. Each header carries implications that must be carefully evaluated to avoid unintended results.
Apache integrates the mod_headers module to allow fine-grained header control, including adding, modifying, or removing fields. This mechanism supports advanced configurations for implementing custom directives, meeting internal policies, or establishing specialized behavior.
Steps to set custom response headers in Apache:
- Launch terminal.
- Enable headers module for Apache.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a headers Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so - Open the configuration file for your Apache website using your preferred text editor.
$ sudo vi /etc/apache2/sites-available/000-mysite.conf
- Locate the section where you want to apply the custom header, such as within a specific VirtualHost or Directory directive.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
- Add or modify headers within the configuration file using the Header directive with your own custom name and value.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html Header set MyCustomHeader "Set any values here" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
- Save and exit the text editor.
- Reload or restart the Apache service to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu and Debian $ sudo systemctl restart httpd # CentOS and Red Hat
- Verify Apache returns the configured custom header tools like curl.
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sun, 03 Sep 2023 03:41:54 GMT Server: Apache/2.4.55 (Ubuntu) Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding MyCustomHeader: Set any values here Content-Type: text/html
Look for your custom header in the response to confirm that it's being sent.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.