> Second, in many environments (managed hosting etc.) there is not an easy way (or indeed a way at all) of adding headers to responses.
It's getting better. Most serverless hosts (including Cloudflare, which this site uses) follow the (req: Request) => Response pattern, which by definition allows sending headers.
What are you talking about. Any non-static hosting will let you specify headers with a plain php function. Any baseline shared hosting offers that kind of control and has done so for the past 20+ years.
Sure, if you wanted to deal with configuring Apache. Or getting your hosting provider to do that. If you knew to ask, and didn't mind waiting, and your hosting provider knew how...and was willing to do it, a condition I forgot to add in my last comment here, but which applies equally there. (User-provided .htaccess files were the source of a number of relatively high-profile early CVEs, as I recall. Apache grew a number of options for trusting their content, and I want to say before very long you could not rely on anything working past simple HTTP-Basic credential management.)
Oldschool shared web hosting was a shockingly deprived environment by modern standards, which is why my Linode account turned old enough a few months ago to buy a drink in a bar: $20 a month in 2004 was amply worth gaining a degree of control over web server configuration which is broadly the default assumption now.
Since I was also administering some shared web hosting in my own right at the time - partially overlapping with my web design work targeting shared hosting, since some customers preferred to BYO - I don't blame admins for being difficult to work with; we all had good reason to be, with the afterthought security typically was everywhere in those days. But you begin perhaps to see why bypassing the whole rigamarole with a hint to the client was attractive.
I think you are the one who doesn't know what they are on about.
First, the header must be added to the response, not the request.
Second, in many environments (managed hosting etc.) there is not an easy way (or indeed a way at all) of adding headers to responses.
> Second, in many environments (managed hosting etc.) there is not an easy way (or indeed a way at all) of adding headers to responses.
It's getting better. Most serverless hosts (including Cloudflare, which this site uses) follow the (req: Request) => Response pattern, which by definition allows sending headers.
What are you talking about. Any non-static hosting will let you specify headers with a plain php function. Any baseline shared hosting offers that kind of control and has done so for the past 20+ years.
is that something that could have be done in the dot file for server override? what was it, .htaccess or something?
Sure, if you wanted to deal with configuring Apache. Or getting your hosting provider to do that. If you knew to ask, and didn't mind waiting, and your hosting provider knew how...and was willing to do it, a condition I forgot to add in my last comment here, but which applies equally there. (User-provided .htaccess files were the source of a number of relatively high-profile early CVEs, as I recall. Apache grew a number of options for trusting their content, and I want to say before very long you could not rely on anything working past simple HTTP-Basic credential management.)
Oldschool shared web hosting was a shockingly deprived environment by modern standards, which is why my Linode account turned old enough a few months ago to buy a drink in a bar: $20 a month in 2004 was amply worth gaining a degree of control over web server configuration which is broadly the default assumption now.
Since I was also administering some shared web hosting in my own right at the time - partially overlapping with my web design work targeting shared hosting, since some customers preferred to BYO - I don't blame admins for being difficult to work with; we all had good reason to be, with the afterthought security typically was everywhere in those days. But you begin perhaps to see why bypassing the whole rigamarole with a hint to the client was attractive.
7 replies →
Ever tried doing it in nginx? You'll find `add_header` doesn't work at all the way you think it does.
And it doesn't allow overrides in dotfiles since that's not performant or secure.