Skip to content

How to Use Apache mod_headers for Header Manipulation

DodaTech Updated 2026-06-24 1 min read

mod_headers controls HTTP headers for security, CORS, and Caching. Security headers like HSTS and X-Frame-Options are essential for modern web security. This guide walks through the specific troubleshooting steps to diagnose and resolve header configuration issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

No custom headers configured

Wrong: Missing security headers

Header always set X-Content-Type-Options nosniff\nHeader always set X-Frame-Options DENY\nHeader always set X-XSS-Protection "1; mode=block"\nHeader always set Strict-Transport-Security "max-age=31536000"

Right: Setting security headers with mod_headers

Output

Security headers configured:\n  X-Content-Type-Options: nosniff\n  X-Frame-Options: DENY\n  X-XSS-Protection: 1; mode=block\n  HSTS: enabled

Prevention

To avoid future issues, follow these best practices:

  • Enable mod_headers with a2enmod headers
  • Use Header always set for response headers
  • Use Header set for conditional header based on status
  • Use Header unset to remove headers
  • Use Header edit to modify header values

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with mod headers

  1. Mixing let bindings with <- bindings in do notation, producing type errors
  2. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  3. Non-exhaustive pattern matches that compile with warnings then crash at runtime

These mistakes appear frequently in real-world APACHE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the difference between Header set and Header always set?|||Header set applies headers on non-error responses (2xx, 3xx). Header always set applies headers on ALL responses including errors.
How do I add CORS headers? Header always set Access-Control-Allow-Origin "*" and Header always set Access-Control-Allow-Methods "GET, PUT, POST, DELETE".

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro