We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Accessing 'Authorization' custom request headers


I'm trying to access custom request headers in a Micro application (REST api) and I can't seem to access some of them.

I'm using $app->request->getHeader('My-Custom-Header');

but it returns an empty string for one of my headers.

I'm just using CURL to test this at the moment. I've looked at this post here https://forum.phalcon.io/discussion/802/access-request-headers-from-phalcon-mvc-micro but unfortunately I'm not using NGINX.

The curl request is as follows:

curl -H"Authorization:Bearer 12345" -H"foo:foo"

Phalcon doesn't see 'Authorization' but it will print 'foo'

What's even more interesting though is that if I call var_dump(getallheaders()) so using PHP's native function, the Authorization header is present, implying to me it isn't an issue with the Apache or php configuration (though I could obviously be wrong).

Any thoughts anyone?


edited Jan '16

So it turns out that PHP only parses the Authorization header for Basic and Digest.

The solution suggested on php.net is to have Apache rewrite the header to essentially prefix "HTTP_" which will then allow PHP to parse it properly.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I couldn't get the rewrite rule to work, but I suppose if I'm the only one consuming my api I can call the header something else for now. Annoying though to say the least

edited Jan '16

I'm using OAuth2 with that header.

Nginx (deafult config, no tweaks), and with Phalcon it works like that $this->request->getHeader("Authorization").

With Apache2, i've added in virtualhost node of config these strings (together with deafult for Phalcon of course):

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

And it works too the same way. Did you try this?

ps: even if you have no access to server configuration, OAuth2 specs (and OAuth2 libs like that allows clients to pass access_token in query parameter (not header) with any http method.

Phalcon will access it w/o any issue if your web server sends them.

In case of API headers for security, HMAC digest etc. you'd need to enable underscore in headers to be forwared as well.

For Nginx:


edited Jan '19

@vasilp since that is just an alias of apache_request_headers which historically was only available under mod_php/Apache2 SAPI. And just now on 7.3.0 changelog states: This function became available in the FPM SAPI.

So now it should be supported on all relevant SAPI's. But that's little too late to the party IMHO, no one sane would use such thing with apache in function name and getallheaders() is pretty unknown to the devs.