Setting a custom x-powered-by header value

1. Caddy version (caddy version):


2. How I run Caddy:

systemctl start caddy

a. System environment:

Platform: Linux 5.10.60-1-lts
Distribution: Arch Linux
Service Manager/Init: systemd

c. Service/unit/compose file:

No Docker, and using default unit file package by Arch Linux.

d. My complete Caddyfile or JSON config: {
   root * /var/www/shaarli
   encode zstd gzip

   header {
		Server Pineapple 
		Strict-Transport-Security max-age=31536000;
		Content-Security-Policy default-src 'self';
		Permissions-Policy interest-cohort=()
      	vary Accept-Encoding
	  	X-Content-Type-Options nosniff
      	X-UA-Compatible "IE=Edge"
		X-Frame-Options DENY
      	X-Download-Options noopen
    	X-XSS-Protection 1; mode=block;
    	X-Powered-By MutantMonkeys

3. The problem I’m having:

I’m hosting a PHP project, and would like to hide the X-Powered-By header that PHP sets. The issue I’m experiencing isn’t that Caddy is unable to set the X-Powered-By header, but that I get two of these headers: the one set by PHP, and the other by Caddy.

curl -v outputs:

x-powered-by: MutantMonkeys
x-powered-by: PHP/8.0.10

4. Error messages and/or full log output:

No errors in /var/log/caddy/access.log

5. What I already tried:

In my Caddyfile, under headers, I have set X-Powered-By MutantMonkeys

6. Links to relevant resources:

A closed issue that is relevant to my question, it dates back to Caddy’s v1 days.

Caddy is adding that response header, then the proxy is appending the one from the backend later.

Try putting defer on its own line as a subdirective in your header directive block, or use header_down in your php_fastcgi directive to replace the header coming from the backend.


defer worked. Thank you :smiley:

This topic was automatically closed after 30 days. New replies are no longer allowed.