Zend PHP 7 Certification – Web Features – HTTP Headers and Code

This post covers the HTTP Headers and Code section of the Web Features chapter when studying for the Zend PHP 7 Certification.

HTTP is a protocol used for transferring data between web servers and client browsers.

The header() function in PHP sends a raw HTTP header. There are two special-case header calls. The first is a header that starts with the string HTTP/, which will be used to figure out the HTTP status code to send. For example, the below sends a 404 status.

<?php
header("HTTP/1.0 404 Not Found");

// Ensure no code below gets executed

The second special case is the Location: header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.

<?php
header("Location: http://www.somesite.com");

The second parameter, replace, indicates whether the header should replace a previous similar header. By default it will replace, but if you pass in FALSE as the second argument you can force multiple headers of the same type.

<?php
header('WWW-Authenticate: Negotiate');
header('WWW-Authenticate: NTLM', false);

The third parameter is the response code. A summary of the some of the response codes can be seen below.

  • 1XX – Informational
  • 3XX – Redirection
  • 5XX – Error
<?php
// 301 Moved Permanently
header("Location: /foo.php",TRUE,301);

If you want the user to be prompted to save the data you are sending, such as a generated PDF file, you can use the Content-Disposition header to supply a recommended filename and force the browser to display the save dialog.

<?php
// We'll be outputting a PDF
header('Content-Type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

PHP scripts often generate dynamic content that must not be cached by the client browser. Clients can be forced to disable caching with the following code.

<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past

PHP contains other useful functions regarding header information.

The headers_list() function will return a list of headers to be sent to the browser/client.

<?php
/* setcookie() will add a response header on its own */
setcookie('foo', 'bar');

/* Define a custom response header
   This will be ignored by most clients */
header("X-Sample-Test: foo");

/* Specify plain text content in our response */
header('Content-type: text/plain');

/* What headers are going to be sent? */
var_dump(headers_list());

// Outputs:
array(4) {
  [0]=>
  string(23) "X-Powered-By: PHP/5.5.26"
  [1]=>
  string(19) "Set-Cookie: foo=bar"
  [2]=>
  string(18) "X-Sample-Test: foo"
  [3]=>
  string(24) "Content-type: text/plain"
}

The headers_sent() function checks if or where headers have been sent.

<?php
// If no headers are sent, send one
if (!headers_sent()) {
    header('Location: http://www.example.com/');
    exit;
}

header_remove() removes an HTTP header previously set using header().

<?php
header("X-Foo: Bar");
header("X-Bar: Baz");
header_remove("X-Foo");

To unset all headers, you can simple use header_remove() with no arguments.

Note: This article is based on PHP version 7.1.