Tech Tip – HTTP header with underscore in the name not set in Apache 2.4



Customer installed and configured SiteMinder Web Agent on Apache 2.4.

He has a PHP module which is expecting some of the default SiteMinder headers e.g. SM_USER, SM_DOMAIN etc and some custom headers which has underscore in its name (e.g USER_NAME etc).

However, when he reads the HTTP headers using PHP module (or a CGI module) , he couldn’t find any of the header with underscore in its name being set.

All other headers are working fine.


Policy Server : r12.52 SP1 CR2 (However, this is applicable for any version)

Root Cause:

This is a new feature introduced in Apache 2.4 in multiple modules like mod_cgi,mod_include,mod_isapi,php etc.

This was introduced to prevent cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped


For the default SiteMinder Headers

You can specify which naming convention the Web Agent uses for the default HTTP headers with the following parameter:


Specifies if the Web Agent uses underscores in HTTP header names.

When ,

LegacyVariables = yes (default), the HTTP Headers will have underscore (e.g SM_USER,SM_USERDN etc)

LegacyVariables = no, the HTTP headers will not have underscores (e.g SMUSER,SMUSERDN)

For custom HTTP Headers

LegacyVariables only controls the default SiteMInder HTTP headers. It doesn’t change the user defined HTTP Headers.

So. for bypassing this restriction in Apache 2.4, you will need to make sure that your custom HTTP header names does not have any underscore.

Alternatively, you can also refer to the workaround suggested by Apache, which will basically bypass this new security restriction.

This involves setting mod_setenvif and mod_headers which allows you to still accept these headers with underscore.

Environment Variables in Apache – Apache HTTP Server Version 2.5

Related BLOGS:

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.