How to add additional headers to 302 redirects in Apache?

Asked 27/3, 2009 at 16:43 Answered 8/1, 2018 at 14:2

Solved apache http-redirect cdn http-status-code-302

I have a redirect in Apache config like

Redirect temp /foo.xml http://www.baz.com/foo.xml

I am trying to add an Expire and m-cache headers for a CDN to this 302. This would be trivial in php, but I need to do this in Apache config files.

Normally this is done like this:

ExpiresActive On ExpiresDefault "access plus 10 minutes"

but this only seems to not work for 302 redirects. Any suggestions?

Hollyhock answered 27/3, 2009 at 16:43 Comment(1)

Apache configuration? Via which programming language? – Mcdowell 27/3, 2009 at 16:50

Check out the mod_headers module for Apache.

Perhaps something like:

<Location /foo.xml>
   Redirect temp /foo.xml http://www.baz.com/foo.xml
   Header always set ExpiresActive On
   Header always set ExpiresDefault "access plus 10 minutes"
</Location>

I have edited this answer (since it was accepted), adding the always keyword, to reflect what Fix correctly pointed out below.

Benedick answered 27/3, 2009 at 17:12 Comment(2)

Except, this doesn't actually work because the headers aren't added when a redirect is done. – Leonerd 21/8, 2010 at 9:38

This does work because of the always directive.. See @Fix's answer below. it explains it better. – Tricyclic 27/7, 2021 at 22:39

<Location /foo.xml>
   Redirect temp /foo.xml http://www.baz.com/foo.xml
   Header always set ExpiresActive On
   Header always set ExpiresDefault "access plus 10 minutes"
</Location>

to get it working even with HTTP 302 responses (actually, with any HTTP response) ; without the keyword "always", the directive "Header set" works only with success responses, i.e. HTTP 2xx responses.

Shellfish answered 15/11, 2010 at 15:45 Comment(0)

Please note an odd bug in Apache 2.2 (observed in Apache 2.2.15) that makes this difficult if you are using env=HTTPS to control when the Header is being set. For some reason env=HTTPS fails to fire during redirects, even if RewriteCond %{HTTPS} on is used to control the redirect. So in my configuration that enables HTTP Strict Transport Security (HSTS), I use use a RewriteRule to create an environment variable called X_HTTPS that has the same value as the HTTPS, but which is not set to null when env=X_HTTPS is evaluated:

SetEnv HSTS "max-age=31536000; includeSubDomains; preload"

# For some reason in Apache 2.2, HTTPS env variable is not available during redirects
RewriteCond %{HTTPS} on
RewriteRule ^.*$ - [ENV=X_HTTPS:%{HTTPS}]
# Set HSTS Header if the page is delivered via SSL
Header always set Strict-Transport-Security %{HSTS}e env=X_HTTPS

# Redirect SSL-only non-www page to www and quit
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule ^(.*)$ https://www.%{SERVER_NAME}%{REQUEST_URI} [R=303,L]

# Redirect ANY non-SSL page to SSL
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=303,L]

Glowworm answered 8/1, 2018 at 14:2 Comment(1)

This is exactly what I'm trying to do. Unfortunately this solution doesn't work for me. No environment variables seem to work with redirects. The only solution I've found is to omit the env= clause, which works but also sends the Strict-Transport-Security header on plain HTTP requests. – Zennas 10/1, 2018 at 18:18