On 4/22/26 1:18 PM, Jose Kahan wrote:
> Hi,
>
> Just sharing some info about a limitation of mod_headers.
>
> I was doing some experiments with Content-Security-Policy (CSP),
> where I wanted to append extra parameters to an existing header.
>
> I was planning to use mod_headers for this but the issue is that
> CSP headers uses structured HTTP headers [rfc8941], where each
> parameter is separated by a ';'. The same RFC states that a ',' is
> used to separate items in a list.
>
> The 'append' action of mod_headers uses ',' to separate values so
> its use is limited to lists.
>
> For example, in the following CSP header we have two parameters:
> default-src and img-src. Each parameter has its own values
> separated by spaces; for img-src those are 'self' and example.com.
>
> Content-Security-Policy: default-src 'self'; img-src 'self' example.com
>
> What I wanted to do is use mod_headers append to go from:
>
> Content-Security-Policy: default-src 'self'
>
> to
>
> Content-Security-Policy: default-src 'self'; img-src 'self' example.com
>
> The only way I can manage to do this is at the moment is to replace
> the existing header.
Try using using edit or edit* as described in
https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
e.g. the below removes any existing HttpOnly, Secure, SameSite settings from a
Set-Cookie header and adds
them again with the desired setting for SameSite.
Header edit* Set-Cookie "(; *)([hH]ttp[oO]nly|[Ss]ecure|[Ss]ame[Ss]ite=.*([
;]|$))" ""
Header edit Set-Cookie "^(.*)$" "$1; HttpOnly; Secure; SameSite=Lax"
Regards
RĂ¼diger
