header() / http_response_code() Since: PHP 4(2000)
Functions for sending HTTP response headers. Used to control HTTP communication, including redirects, Content-Type declarations, cache control, and CORS headers.
Syntax
// Sends an HTTP header. header($header, $replace, $response_code); // Removes a previously set header. header_remove($name); // Checks whether headers have already been sent. headers_sent($filename, $line); // Gets or sets the HTTP response status code. http_response_code($code);
Function List
| Function | Description |
|---|---|
| header($header, $replace, $response_code) | Sends an HTTP header. The second argument controls whether a header of the same name is replaced, and the third argument sets the response status code. |
| header_remove($name) | Removes a previously set HTTP header. If the argument is omitted, all headers are removed. |
| headers_sent($file, $line) | Returns a boolean indicating whether headers have already been sent. If arguments are provided, the file name and line number where output began are stored in them. |
| http_response_code($code) | Returns the current status code when called without an argument. Passing a code sets the response status code. Available in PHP 5.4 and later. |
Sample Code
<?php
// Redirects to another page.
header("Location: https://example.com/login.php");
exit; // Always call exit after a redirect to stop script execution.
// Sets a 301 redirect. Use this for permanent URL changes.
header("Location: https://example.com/new-page.php", true, 301);
exit;
// Sets the Content-Type header and returns JSON.
header("Content-Type: application/json; charset=UTF-8");
echo json_encode(['status' => 'ok', 'message' => 'Success']);
// Sets headers for a file download.
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"report.csv\"");
header("Content-Length: " . filesize("report.csv"));
readfile("report.csv");
exit;
// Disables caching.
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: 0");
// Sets CORS headers to allow access from a different origin.
header("Access-Control-Allow-Origin: https://frontend.example.com");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Authorization");
// Sets security headers.
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
// Sets the status code using http_response_code().
http_response_code(404);
echo "Page not found.";
// Checks whether headers have already been sent.
if (!headers_sent($file, $line)) {
header("X-Custom-Header: value");
} else {
echo "Headers were already sent in {$file} on line {$line}.";
}
Notes
header() sends HTTP response headers. You cannot call header() after any output has been sent — even a single byte. Always send headers at the very beginning of your script, and make sure that BOM-encoded UTF-8 files or blank lines before the opening <?php tag do not accidentally trigger output.
When performing a redirect with header("Location: ..."), always follow it immediately with exit. Without exit, the script continues executing after the redirect header is sent, which can lead to unintended behavior.
http_response_code() is available in PHP 5.4 and later, and provides a concise way to get or set the status code. Setting the correct status code is important in API development. When returning a JSON response, combine it with json_encode(). For server information and request details, use $_SERVER.
If you find any errors or copyright issues, please contact us.
シェアする