So I have these headers in some of my PHP files:
<?php
header('Content-Type: text/html; charset=UTF-8');
header('Content-Style-Type: text/css');
header('Content-Script-Type: application/javascript');
header('HTTP/1.1 200 OK');
header('Content-language: en-US');
header('X-Powered-By: PHP/5.2.17');
header('Last-Modified: Tue, 01 Jan 2013 00:00:00 GMT');
header('Cache-Control: no-store, no-cache, max-age=0, must-revalidate');
header('Pragma: no-store, no-cache, max-age=0, must-revalidate');
header('Expires: Tue, 01 Jan 2013 00:00:00 GMT');
?>
How do I set them in my .htaccess file? (Should be for specific files only), here's what I got so far:
<FilesMatch "^(index.php|about.php|contact.php)$">
# HTTP Headers should be set in here
</FilesMatch>
You need to have mod_headers installed, or you might get error 500. You can wrap the setting of headers in a condition to check if mod_headers is present or not.
<FilesMatch "\.(html|htm|js|css)$">
<ifModule mod_headers.c>
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Expires "Thu, 1 Jan 2015 05:00:00 GMT"
</ifModule>
</FilesMatch>
You can also unset headers. For example, if you're behind a load balacer the real visitor IP could be passed in form of a custom header you don't want to expose to the application.
Header unset Real-Visitor-IP
Besides expiration and etags, and webserver specific custom headers, you shouldn't tamper with headers at webserver level. Most of them should be managed at the application level, and you would prevent some frameworks from working normally if you pass them altered content types.