Skip to content

Comments

Clarify Apache Header always vs onsuccess behavior to prevent duplication (#2008)#2012

Open
HimasreeKolathur24 wants to merge 1 commit intoOWASP:masterfrom
HimasreeKolathur24:fix-apache-header-always-clarification
Open

Clarify Apache Header always vs onsuccess behavior to prevent duplication (#2008)#2012
HimasreeKolathur24 wants to merge 1 commit intoOWASP:masterfrom
HimasreeKolathur24:fix-apache-header-always-clarification

Conversation

@HimasreeKolathur24
Copy link

@HimasreeKolathur24 HimasreeKolathur24 commented Feb 17, 2026

Summary

This PR clarifies the behavior of Header set (default onsuccess) and Header always set in Apache mod_headers.

Previously, the section mentioned the always option but did not explain that it operates on a separate internal header table. On 2xx responses, both onsuccess and always directives may apply, which can result in duplicate headers if the same header is configured in both contexts.

This update:

  • Adds a short clarification about the separation of header tables.
  • Warns about potential header duplication.
  • Recommends a safe configuration pattern using Header unset before Header always set.

The goal is to prevent misconfiguration while keeping the guidance concise and practical.

This PR fixes issue #2008.

AI Tool Usage Disclosure

  • I have used AI tools to generate the contents of this PR. I have verified the contents and I affirm the results. The LLM used is ChatGPT (GPT-5.2) and the prompt used was assistance in clarifying Apache mod_headers behavior and improving documentation wording.

@szh szh linked an issue Feb 17, 2026 that may be closed by this pull request
Update: HTTP_Headers_Cheat_Sheet #2008
Open
@Brandon-Johns
Copy link

Brandon-Johns commented Feb 17, 2026

Thank you for working on this.
It's good.

I think it could be slightly improved with

  • Restore the link to the Apache documentation to enable further reading, in case that the solution does not meet the needs of the reader (if they need to apply different values of the headers for different status codes).
  • Add a note that to unset a header, it should be unset for both onsuccess and always.
  • Given the edge cases, as I discussed in the issue thread, I suggest to alter the sentance
    • From: On 2xx responses, both may apply, which can result in duplicate headers if the same header is configured in both contexts.
    • To: In some cases, both header tables may be used, which can result in duplicate headers if the same header is configured in both contexts.

@HimasreeKolathur24 HimasreeKolathur24 force-pushed the fix-apache-header-always-clarification branch from 69f2c22 to 9b9e1c3 Compare February 17, 2026 15:23
@HimasreeKolathur24
Copy link
Author

HimasreeKolathur24 commented Feb 17, 2026

@Brandon-Johns,
Thank you for the feedback. I’ve updated the section to restore the documentation link, adjust the wording, and clarify unsetting in both contexts. Please let me know if anything else should be refined.

Brandon-Johns
Brandon-Johns approved these changes Feb 18, 2026
View reviewed changes
Copy link

@Brandon-Johns Brandon-Johns left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This it very clear and well stated.
I fully approve of the changes in this form
Thank you for your work on it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmanico jmanico jmanico approved these changes

+1 more reviewer

@Brandon-Johns Brandon-Johns Brandon-Johns approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update: HTTP_Headers_Cheat_Sheet

3 participants

@HimasreeKolathur24 @Brandon-Johns @jmanico