I'm using PHP slim framework for a personal project. For some reason, the PSR implementation of Request in Slim apparently is filtering some headers. I am trying to set a custom CSRF token and it is not available via $request->getHeaders(). Here's one example that shows the problem:
$app->get('/bar', function ($request, $response, $args) {
echo "PHP's getallheaders() <br>";
foreach (getallheaders() as $name => $value) {
echo "$name: $value <br>";
}
echo "Slim's GetHeaders() <br>";
foreach ($request->getHeaders() as $name => $values) {
foreach ($values as $value) {
echo "$name: $value <br>";
}
}
});
I get this output:
PHP's getallheaders()
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: null
Accept-Encoding: gzip, deflate
csrf_name: csrf56fc038c2f6eb
csrf_value: 4e077c04dadf22377da2aebc1a8caa78
Cookie: PHPSESSID=41016nbag70gi6shq4u2tg0aq1
Connection: keep-alive
Slim's GetHeaders()
Host: localhost
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE: null
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_COOKIE: PHPSESSID=41016nbag70gi6shq4u2tg0aq1
HTTP_CONNECTION: keep-alive
I am trying to understand why the custom headers:
csrf_name: csrf56fc038c2f6eb
csrf_value: 4e077c04dadf22377da2aebc1a8caa78
are being removed by Slim.
It is not Slim, it is the webserver.
Even though header whose name contains underscore is valid by HTTP spec, both Nginx and Apache silently drop those headers for security reasons. In general you should use only use headers containing a..zA..Z and - characters.
With Apache you can still access header with underscore in their name using getallheaders() which is an alias to apache_request_headers().
With Nginx you can enable headers with underscrore in their name with underscores_in_headers on setting.