问题
I have a website where virtual hosts are defined in /etc/apache2/sites-enabled/
with a header being set with the always
option like this:
Header always set X-Frame-Options DENY
If I now set the same header using .htaccess
in the web site's root folder, but without always
then the header is returned twice in the server's response.
The setting in .htaccess
(amongst others):
Header set X-Frame-Options DENY
The server's response:
HTTP/1.1 200 OK
Date: Mon, 02 May 2016 16:02:29 GMT
Server: Apache/2.4.10 (Debian)
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Last-Modified: Mon, 02 May 2016 15:03:42 GMT
Accept-Ranges: bytes
Content-Length: 0
X-Frame-Options: DENY
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
The Apache docs say that without the always
option the default value of onsuccess
is used. But they also say that "... the default value of onsuccess does not limit an action to responses with a 2xx status code..." (http://httpd.apache.org/docs/current/en/mod/mod_headers.html#header).
But if I don't add always
, then error pages like 301s and 404s will not have the header set. On the other hand, if I do add always
then the headers might be set twice if I do use the default value (i.e. onsuccess
) in .htaccess
. As the docs state: "repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers". Setting headers twice is not always valid for an HTTP response, see https://stackoverflow.com/a/4371395/641481. So I want to avoid it, naturally.
My question now is: When exactly should I use onsuccess
(i.e. the default value) and when always
? I must admit that even after reading through the Apache docs a couple of times I do not exactly understand this. Pragmatically it seems that always using always
leads to the correct/expected behaviour.
I also do not understand why Apache writes the header twice if it is set in always
and onsuccess
. It seems wrong to me, but there must be a good reason for this, since I assume the Apache-devs know a lot more than I do about HTTP ;-)
回答1:
This is only a partial answer since it does not cover the onsuccess
attribute. It is based on experiences using apache 2.4.7 running on an Ubuntu 14 os. Hope it helps you along.
The pure set
parameter, without attributes, to the Header
directive overwrites any always
attribute by forcing the argument to Header set
to be the only one delivered. If the same directive appears in a directory, i.e. file system based .htaccess file it has precedence over the same directive noted in a virtual host definition file related to that directory. If the attribute always
is noted additionaly, it has the effect that any, equal or different, notation of the same directive is added to the server answer instead of overwriting/replacing it.
Probably the onsuccess
attribute, which i unfortunately do not have the time to explore now, may be handled similar as the always
attribute.
来源:https://stackoverflow.com/questions/36991188/what-is-the-difference-between-always-and-onsuccess-in-apaches-header-confi