PHP does not see Authorization header

While implementing a micropub token endpoint I noticed that I was unable to access the value of an HTTP Authorization header - $_SERVER did not include it.

$ curl -H 'Authorization: Bearer wolf' |grep -i auth

It turns out that you manually have to pass them, e.g. by adding the following line to your .htaccess file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
$ curl -H 'Authorization: Bearer wolf' |grep -i auth
  'HTTP_AUTHORIZATION' => string 'Bearer wolf'(length=11)

Alternatively you may use mod_rewrite:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


When Apache speaks via FastCGI with PHP, then the authorization header is available as REDIRECT_HTTP_AUTHORIZATION. There is no way to get rid of the REDIRECT_ in front; you code has to check both variants.

Written by Christian Weiske.

Comments? Please send an e-mail.