This module allows to set HTTP response headers (both standard and non-standard) on pages by various visibility rule settings. Currently the headers can be set by path, content type and user role.

Use cases

case 1: Set 'Cache-Control' or 'Expires' header to set/reset cache behaviour of browser/cache servers.
case 2: Set 'X-Frame-Options' to restrict your pages rendering on a frame.
case 3: Set 'WWW-Authenticate' to set authentication to pages.


  1. Configure list of allowed headers
  2. Exclude non-functional pages (e.g. Admin pages) globally
  3. Drush extension to cover all functionality
  4. Page level header rule caching
  5. Export/import (using Ctool) header rules from an inc file (MODULE.http_response_headers_default_rule.inc) or hook implementation (hook_http_response_headers_default_rule())

Known issues/problems

  1. The calculation for certain headers (e.g. Expires) happens internally and end user may not aware of it. So entering 600 in expires header value change to ISO date format of 5 minutes from current time.
  2. Doesn't work well with Drupal page cache

Similar projects

Want to help?

You can help by reporting issues at the issue queue or at Github and issuing patch/pull request.

Supporting organizations: 
Drupal 8 version
provides support of D8 and D7

Project information