2

As a minimal test case, with PHP Version 5.6.31, cURL 7.54.0 :

<?php

$headers = array('Authorization: B', 'c : d');
$ch = curl_init("https://ipandheaders.com");
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_exec($ch);
curl_close ($ch);

?>

That site reflects the headers sent:

Accept: */*
C: d
Host: ipandheaders.com

If I deliberately misspell it as:

$headers = array('Authorizationx: B', 'c : d');

The result is

Accept: */*
Authorizationx: B
C: d
Host: ipandheaders.com

or

$headers = array('Authorizatio: B', 'c : d');

gives

Accept: */*
Authorizatio: B
C: d
Host: ipandheaders.com

Using a more realistic header (with a fake token)

$headers = array('Authorization: Bearer JHG56HJGOJ8JH876F', 'c : d');

doesn't help.

Accept: */*
C: d
Host: ipandheaders.com

The error log shows no errors.

My approach seems to have worked here: How to include Authorization header in cURL POST HTTP Request in PHP? But that was 5 years ago. Has something changed?

I tried POSTing

curl_setopt($ch, CURLOPT_POST, 1);

but get a 403 Forbidden error for some seemingly unrelated reason, so I don't know the outcome with POST.

Does PHP only allow an Authorization header in a POST? I can do what I want with Python 'request' using GET without problem.

If PHP's cURL extension is deliberately suppressing any Authorization header, I don't see that revealed at http://php.net/manual/en/function.curl-setopt.php though a comment there by tychay seems to say that is so.

Bob3411
  • 46
  • 5

1 Answers1

0

Not sure if this might help or not:

Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers from being sent to other hosts than the first used one, unless specifically permitted with the CURLOPT_UNRESTRICTED_AUTH option.

Source: https://curl.haxx.se/libcurl/c/CURLOPT_HTTPHEADER.html

According to the above, you might need to include the CURLOPT_UNRESTRICTED_AUTH option:

curl_setopt($ch, CURLOPT_UNRESTRICTED_AUTH, 1);
A. Genedy
  • 578
  • 4
  • 11