X- Headers removed from CGI output in v10.1

Joe Schmoe
17 February 2016, 09:59
Looks like headers beginning with "X-" have been removed from CGI output in v10.1.

This is problematic for the Drupal CMS since it is setting its own headers for security. Here is a sample set of response headers that have been removed.

X-Drupal-Ajax-Token: 1
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 8 (
X-UA-Compatible: IE=edge
x-content-type-options: nosniff

The main one that is causing problems is X-Drupal-Ajax-Token as it is used for verification of XMLHttpRequest responses to prevent cross-site scripting attacks.

More info:!
Hugo Leisink
17 February 2016, 13:40
To undo that, remove lines 1057 - 1059 from src/target.c. I will fix this in the next release.
Joe Schmoe
17 February 2016, 14:06
I was going to do exactly that and test today. Any particular reason they were removed in the first place?

Thanks Hugo.
Hugo Leisink
17 February 2016, 14:10
Many of the X- headers are messages meant for the webserver. So, for security reasons I decided to remove them from the final output. Seems I was a bit too careless when I removed them all.
Joe Schmoe
17 February 2016, 16:51
Just recompiled without the offending lines and works as expected. Thanks again.
25 February 2016, 07:59
You'd need to take a "Blacklist" approach. Only remove specific x headers.
25 February 2016, 08:05
Some headers that should definitely be removed and not get sent to the browser:
This topic has been closed.