.htaccess headers being ignored by Apache

It seems that PHP ignores headers defined in .htaccess when working as a FastCGI module.

There are a lot of suggestions how to fix this. In your case I would recommend to have a file that defines all your headers

<?php
// file headers.php
header('Cache-Control: no-cache,must-revalidate');
header('X-Clacks-Overhead: "GNU Terry Pratchett"');
header('X-XSS-Protection: 1;mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('Expect-CT: enforce,max-age=2592000');
header('Content-Language: en');
header('Referrer-Policy: origin-when-cross-origin');
?>

and save it to your DocumentRoot directory. Then add this entry to your .htaccess file to include it with every request:

php_value auto_prepend_file /var/www/html/headers.php     

Testing it:

<?php
// file test.php
die("hello world");
?>

And the headers are being sent:

$ curl -I ubuntu-server.lan/test.php
HTTP/1.1 200 OK
Date: Sun, 25 Nov 2018 09:37:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: no-cache,must-revalidate
X-Clacks-Overhead: "GNU Terry Pratchett"
X-XSS-Protection: 1;mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expect-CT: enforce,max-age=2592000
Content-Language: en
Referrer-Policy: origin-when-cross-origin
Content-Type: text/html; charset=UTF-8

Always keep in mind that when you change headers in .htaccess to also change them in headers.php.

Hope this helps!

---

➥ previous answer

I think this problem results from the httpd/apache2 headers_module not being loaded correctly (although you state otherwise in one of the above comments). You can check this by executing this command in the terminal:

apachectl -M | grep headers_module

If you get no output headers_module (shared) (or similar), then you have to activate the httpd/apache2 headers module. On a CentOS system you have to load the respective source file in your configuration (default /etc/httpd/conf/httpd.conf).

You have to add this line

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

and then restart the http server wih sudo systemctl restart httpd.service

With EasyApache 4 the folder where httpd/apache2 modules are located might differ and be /usr/lib64/apache2/modules/.

I hope this helps!

It is not so much FastCGI as it is mod_proxy_fcgi, the method of asking Apache to "execute" FastCGI by passing it to some other listener.

When you use any mod_proxy* module, .htaccess isn't processed at all, because you're acting as a proxy and short-circuiting any disk-related configuration sections.

php-fpm will be looking at the request URL and reading data from disk, but Apache isn't. It is just confusing to people because they can be running on the same host and the files are often in a directory httpd could serve directly.