We Keep Coding

Fixing multiple broken headers in Apache 2.4

I'm using Apache 2.4.52 and I have two headers I'd like to fix in my apache config. The problem is only one RequestHeader works at a time.
I can only get 'SOME-TOKEN' RequestHeader working if I comment out or remove SOME-API-KEY from the config.
Note: this problem happens using either method from the code below. Only the SOME_API_KEY header works, in order for SOME-TOKEN header to work, I have to remove the other RequestHeader.
RequestHeader set SOME-API-KEY "expr=%{req:SOME_API_KEY}"
RequestHeader set SOME-TOKEN "expr=%{req:SOME_TOKEN}"
I've also tried this - from here: https://httpd.apache.org/docs/2.4/env.html#examples
The same problem exists, only the SOME-API-KEY RequestHeader works. Again, if I remove SOME-API-KEY RequestHeader, SOME-TOKEN header will begin working as expected.
SetEnvIf ^SOME.API.KEY$ ^(.*)$ fix_some_api_key=$1
RequestHeader set SOME-API-KEY %{fix_some_api_key}e env=fix_some_api_key
SetEnvIf ^SOME.TOKEN$ ^(.*)$ fix_some_token=$1
RequestHeader set SOME-TOKEN %{fix_some_token}e env=fix_some_token
Additional info: This api is a separate vhost using mod_wsgi, I do have WSGIPassAuthorization ON set. I've tried using one RequestHeader in the main apache config, one in the vhost config and both in the virtualhost config to no avail.

Apache mod_headers modification not passing through on ProxyPass

I have web socket GET requests that are coming to an Apache http sever and are being forwarded to a Apache Tomcat 8.5.x server (represented here as 192.168.1.77:80).
I'm attempting to use mod_headers to set the "upgrade" header value.
Inside my VirtualHost tag, I have the equivalent to the following:
<LocationMatch "/somewhere">
ProxyPass ws://192.168.1.77:80/socket
RequestHeader set Upgrade "myvalue"
</LocationMatch>
This does not work as I would expect it to. The set seems to be applying to Apache http but not Apache Tomcat.
In Apache http, when I add %{Upgrade}i to my LogFormat, I see the "Upgrade" header is set to "myvalue".
However, in the Tomcat logs, if I add *%{Upgrade}i", I see that my RequestHeader set operation did not take effect, and Tomcat records the original value for the "Upgrade" header in the original GET request.
Note: I have already tried adding the "early" argument like so:
<LocationMatch "/somewhere">
ProxyPass ws://192.168.1.77:80
RequestHeader set Upgrade "myvalue" early
</LocationMatch>
Any thoughts as to what is going wrong or what I might be missing?

I'm using mod_proxy_wstunnel, and apparently the upgrade header "WebSocket" is hard-coded in that module.

Apache mod_headers cannot unset header on a path

I am trying to set a header using mod_headers in Apache in all cases EXCEPT a certain path. I've tried each of the three variations below to do so, but none of them seem to work properly to exclude the path. In ALL cases I get the header for all requests, including those that match the example path, e.g.: http://example.com/charts/24_hour_commodity/450/300
<VirtualHost *:8200>
...
SetEnvIfNoCase Request_URI "^/charts/.*" frameallow
Header set X-Frame-Options SAMEORIGIN env=!frameallow
...
</VirtualHost>
Or:
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<LocationMatch "^/charts">
Header always unset X-Frame-Options
</LocationMatch>
...
</VirtualHost>
Or
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<Directory "/full/path/to/charts">
Header always unset X-Frame-Options
</Directory>
...
</VirtualHost>
#tried both with and without the 'always' in all configs
Can anyone help me figure out why the header is set in the first example or not unset in the following two? Any one working solution would be enough...
UPDATE:
After reading about order of processing on the Apache site, I tried using conditional blocks instead. Neither of those work either:
<If "%{REQUEST_URI} =~ m#^/charts#">
Header unset X-Frame-Options
</If>
Or
SetEnvIfNoCase Request_URI "^/charts" frameallow
<If "reqenv('frameallow') == 1">
Header unset X-Frame-Options
</If>
So, still broken. Must be something about the Header statements not firing after a certain point in processing. Or the ones int he conditional somehow firing before the main one and being overridden. Cannot find a way to debug it down to the root cause though.

Responses header with expression
Header always set Access-Control-Allow-Origin * "expr=%{REQUEST_URI} =~ m#^/specialPath$#"
this may add header wen the expr = true
http://httpd.apache.org/docs/current/mod/mod_headers.html
at the bottom of the section Header Directive

CORS Access-Control-Allow-Origin Error on Drupal 7 with Cloudflare

We have been having the problem where we get errors of the format.
Font from origin 'https://example.com' has been blocked from loading by
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'https://www.example.com' is therefore not allowed access.
We also get a "Redirect at origin" error.
We are using Drupal 7 and Cloudflare.
we have attempted to edit .htaccess to include
Header set Access-Control-Allow-Origin "https://example.com"
Header set Access-Control-Allow-Origin "https://www.example.com"
Tried quite a lot;
have purged cloudflare
restarted apache
tried wildcard "*"
Drupal CORS module
So far no joy.
As this approach is not working, I am wondering if something is being missed or if there is an alternate approach, such as why we are getting origin 'https://example.com' being in the request via Drupal and not 'https://www.example.com'.
Last note it that when I review some resources I see two distinct patterns.
If a resource has status of "301 Moved Permanently" in the request headers there is
Host www.example.com
Referer https://example.com/
Where the status is "304 Not Modified"
Host example.com
Referer https://example.com/
It's odd that there is any www at all; htaccess should be redirecting and it is absent from base_url.

I have experienced a very similar issue.
Be ensured that module headers is enabled
1 - To enable mod headers on Apache2 (httpd) you need to run this command:
sudo a2enmod headers
Then restart Apache
sudo service apache2 restart
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains for all files, add this in your .htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
## SECURITY WARNING : never add following line when site is in production
## Header set Access-Control-Allow-Origin "*"
</IfModule>
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains and for fonts only in our example, use FilesMatch like in the following section in your .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
</IfModule>
</FilesMatch>
After making changes in .htaccess file, no need to restart your apache webserver

Add X-Frame-Options for all urls on a web-site except a list of enabled

We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?

Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>