Where are these extra HTTP headers coming from?

Question

When I simply echo something out of php file, I do not send any headers intentionally, however - there are some default headers present anyway when I look at firebug response:

response headers:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Jun 2011 19:33:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.6-6~dotdeb.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip

I'm curious - are these default response headers set by the server(nginx) or by PHP?

Answer 1

I believe it is a combination of both... You can tell that "X-Powered-By: PHP/5.3.6-6~dotdeb.1" comes from PHP and "Server: nginx" comes from NGINX.

You can alter the headers in PHP as follows:

<?php
    header("HTTP/1.0 404 Not Found");
?>

The gzip header most definitely comes from NGINX as it is compressing the output (html) to the browser. PHP can "add" to the headers by calling a function like the one above. Then the server combines it with the PHP headers and serves the request.

It depends on your server whether or not the PHP headers take precedence over the server headers.

Hope this helps.

Answer 2

The majority are set by nginx, for example the Server, Date, Content-Encoding, and Connection. However, some other headers are set by PHP, and you can add others in PHP like this header("Name: Value");

Answer 3

The X-Powered-By header is controlled by the value of the expose_php directive in php.ini:

Decides whether PHP may expose the fact that it is installed on the server (eg by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not.

Answer 4

Most headers are sent by nginx. To list the headers (to be) sent by PHP, use the function headers_list :

<?php
echo htmlentities(print_R(headers_list(), true));
?>

Answer 5

PHP automatically sets some of them, like Content-Type: text/html for the hello world page. nginx sets the ones that have to do with the socket, like Connection: keep-alive .

You'll find settings for connections in nginx's configuration. Content-wise, it's PHP. You're allowed to override quite a few of them with the header() function in PHP, as well as add your own custom headers. http://php.net/manual/en/function.header.php

For example, you could set the Content-Type to application/json if you're planning to have PHP send out a JSON string.

Answer 6

You can also overwrite any of the default server headers using the header() function. For example, if you include in your PHP header('Server: ') this will reset the Server: header to be blank.

Answer 7

What's still missing in the answers is the role of PHP:

Some of the headers are indeed set by PHP itself, but the reason is not that easy to find. It's the default session cache delimiter behavior explained here: http://www.php.net/manual/en/function.session-cache-limiter.php

What's afaik not in the docs is how to turn them off completely - simply pass some undefined value to it:

session_cache_limiter(false);

You must to do this before you start your session. In case you are using the Zend Framework, you have to set this before your applications bootstrap() - otherwise it won't work.