I'm currently trying to read the authorization header in a PHP script that I'm calling with a POST request. The Authorization header is populated with a token. It seems the Authorization header is somehow removed before it arrives at my PHP script. I'm executing the post request with Postman (Chrome addon) and I enabled CORS in my PHP script. I don't have access to the apache server directly.
HTTP Request:
Accept:*/*
Accept-Encoding:gzip,deflate
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4,ja;q=0.2
Authorization:Bearer mytoken
Cache-Control:no-cache
Connection:keep-alive
Content-Length:32
Content-Type:text/plain;charset=UTF-8
Host:www.myhost.com
Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.104 Safari/537.36
PHP script:
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: Authorization, Origin, X-Requested-With, Content-Type, Accept");
header("Content-Type: application/json");
$headers = getallheaders();
echo $headers['Authorization'];
The above script outputs '' (= nothing).
After quite some time a found a solution to this problem. Somehow the Authorization header was stripped away and by adding the following lines in my .htaccess I was able to get it to work.
I don't know why my php 5.4.45 running on NGINX was refusing any custom header containing underscores:
ACCEPTED: CURLOPT_HTTPHEADER => array('Authorization: 123456')
REFUSED: CURLOPT_HTTPHEADER => array('my_Authorization: 123456')
I hope it can help someone. Cheers
Below array holds request headers, that may be missing in $_SERVER variable
(Especially true for 'HTTP_X_REQUESTED_WITH' ajax header, which will be found this way as:
$headers['X_REQUESTED_WITH']