The mod_headers module in Apache allows you to manipulate HTTP request and response headers. This is particularly useful for tasks like adding security headers, modifying caching behavior, or implementing custom routing logic.
Before installation, verify if the module is already available:
apache2ctl -M | grep headers
# or for older systems:
httpd -M | grep headers
If you see headers_module in the output, the module is already loaded.
On Debian/Ubuntu systems:
sudo apt-get update
sudo apt-get install apache2
sudo a2enmod headers
sudo systemctl restart apache2
On CentOS/RHEL systems:
sudo yum install httpd
sudo vim /etc/httpd/conf.modules.d/00-base.conf
# Ensure this line exists: LoadModule headers_module modules/mod_headers.so
sudo systemctl restart httpd
Add security headers to all responses:
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
Remove the Server header for security:
<IfModule mod_headers.c>
Header unset Server
</IfModule>
Conditionally set headers based on request attributes:
<IfModule mod_headers.c>
<FilesMatch "\.(js|css)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
<If "%{REQUEST_URI} =~ m#^/api/#">
Header set Content-Type "application/json"
</If>
</IfModule>
If headers aren't appearing as expected:
# Check for syntax errors
apache2ctl configtest
# or
httpd -t
# Verify module loading
apache2ctl -M
# or
httpd -M
# Check error logs
tail -f /var/log/apache2/error.log
# or
tail -f /var/log/httpd/error_log
Excessive header manipulation can impact performance. For high-traffic sites:
- Use
Header mergeinstead of multipleHeader setdirectives - Place common headers in the main configuration rather than .htaccess
- Consider using CDN-level header manipulation where possible
The Apache module mod_headers allows you to manipulate HTTP request and response headers. It's commonly used for:
- Adding security headers (CSP, X-Frame-Options)
- Controlling caching behavior
- Implementing CORS policies
- Modifying redirect responses
Before installation, verify if mod_headers is already loaded:
apache2ctl -M | grep headers
# Or for older systems:
httpd -M | grep headers
If you see headers_module in the output, the module is already active.
For Debian/Ubuntu Systems
sudo apt-get update
sudo apt-get install apache2
sudo a2enmod headers
sudo systemctl restart apache2
For CentOS/RHEL Systems
sudo yum install httpd
# Edit /etc/httpd/conf/httpd.conf and add:
LoadModule headers_module modules/mod_headers.so
sudo systemctl restart httpd
Basic Header Manipulation
<IfModule mod_headers.c>
# Set custom header
Header set X-Custom-Header "Hello World"
# Remove server signature
Header unset Server
</IfModule>
CORS Configuration
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type"
</IfModule>
Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set Content-Security-Policy "default-src 'self'"
</IfModule>
If headers aren't appearing as expected:
- Check Apache error logs:
tail -f /var/log/apache2/error.log - Verify syntax:
apachectl configtest - Ensure the directive is in the correct virtual host or directory context
Conditional headers based on environment variables:
<IfModule mod_headers.c>
<FilesMatch "\.(jpg|png)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
# Set different headers for mobile devices
Header append Vary User-Agent
</IfModule>