Bird
Raised Fist0
Nginxdevops~20 mins

Adding response headers (add_header) in Nginx - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Nginx Header Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate
2:00remaining
What is the output of this nginx configuration snippet?
Given this nginx server block snippet, what response header will be added to all responses?
Nginx
server {
    listen 80;
    server_name example.com;

    location / {
        add_header X-Custom-Header "HelloWorld";
        return 200 'OK';
    }
}
ANo X-Custom-Header added to response
BResponse includes header: X-Custom-Header: "HelloWorld" (with quotes)
CResponse includes header: X-Custom-Header: HelloWorld with status 404
DResponse includes header: X-Custom-Header: HelloWorld
Attempts:
2 left
💡 Hint
Remember that add_header adds headers without quotes in the value.
Troubleshoot
intermediate
2:00remaining
Why is the custom header not appearing on 404 responses?
You added add_header X-Test "TestValue"; inside the location block, but the header does not appear on 404 error pages. Why?
Aadd_header only adds headers on successful (2xx) responses by default
BThe header name is invalid and ignored by nginx
CYou must restart nginx for add_header to work
Dadd_header works only in http block, not location
Attempts:
2 left
💡 Hint
Check nginx documentation about add_header behavior on error responses.
Configuration
advanced
2:00remaining
Which configuration correctly adds a security header on all responses including errors?
Select the nginx configuration snippet that adds the header 'X-Security: Enabled' on every response, including 404 and 500 errors.
Aadd_header X-Security "Enabled" always;
Badd_header X-Security "Enabled";
Cadd_header always X-Security "Enabled";
Dadd_header X-Security Enabled always;
Attempts:
2 left
💡 Hint
The 'always' parameter must come after the header value.
🔀 Workflow
advanced
2:00remaining
Order of add_header directives in nested blocks
Given this nginx config, which headers will be present in the response for a request to /api/data? http { add_header X-Global "global"; server { listen 80; add_header X-Server "server"; location /api/ { add_header X-API "api"; location /api/data { add_header X-Data "data"; return 200 'OK'; } } } }
AX-API, X-Data
BOnly X-Data
CX-Global, X-Server, X-API, X-Data
DX-Global, X-Server, X-Data
Attempts:
2 left
💡 Hint
Headers from outer blocks are inherited unless overridden.
Best Practice
expert
2:00remaining
What is the recommended way to add security headers globally in nginx?
You want to add security headers like Content-Security-Policy and X-Frame-Options to all responses on your nginx server, including error pages. What is the best practice?
AAdd add_header directives without 'always' inside each server block
BAdd add_header directives with 'always' parameter inside the http block
CAdd add_header directives inside location blocks only for main routes
DUse add_header directives only in error_page blocks
Attempts:
2 left
💡 Hint
Think about coverage and maintainability for all responses.

Practice

(1/5)
1. What is the main purpose of the add_header directive in nginx?
easy
A. To configure server listening ports
B. To add extra information to HTTP responses
C. To redirect HTTP requests to HTTPS
D. To define server root directory

Solution

  1. Step 1: Understand the role of add_header

    The add_header directive is used to add extra HTTP headers to responses sent by nginx.

  2. Step 2: Compare with other options

    Redirecting requests, configuring ports, and defining root directories are unrelated to adding headers.

  3. Final Answer:

    To add extra information to HTTP responses -> Option B

  4. Quick Check:

    add_header adds headers [OK]
Hint: Remember: add_header adds info to HTTP responses [OK]
Common Mistakes:
  • Confusing add_header with redirect directives
  • Thinking add_header sets server ports
  • Assuming add_header changes root directory
2. Which of the following is the correct syntax to add a custom header named X-Custom-Header with value MyValue in nginx?
easy
A. add_header "X-Custom-Header: MyValue";
B. add_header X-Custom-Header = MyValue;
C. add_header X-Custom-Header MyValue;
D. add_header X-Custom-Header => MyValue;

Solution

  1. Step 1: Recall nginx add_header syntax

    The correct syntax is add_header name value; without extra symbols like = or =>.

  2. Step 2: Validate each option

    add_header X-Custom-Header MyValue; matches correct syntax. Options A, C, and D use invalid syntax with quotes or symbols.

  3. Final Answer:

    add_header X-Custom-Header MyValue; -> Option C

  4. Quick Check:

    Syntax is add_header name value; [OK]
Hint: Use simple syntax: add_header name value; [OK]
Common Mistakes:
  • Adding quotes around header name and value
  • Using = or => symbols incorrectly
  • Missing semicolon at the end
3. Given this nginx config snippet inside a server block:
add_header X-Test "Hello";

location /error {
  return 404;
}

What happens when a client requests /error?
medium
A. The server throws a configuration error
B. The response includes header X-Test: Hello with 404 status
C. The response returns 200 OK with X-Test header
D. The response returns 404 without X-Test header

Solution

  1. Step 1: Understand default add_header behavior on errors

    By default, add_header does NOT add headers on error responses like 404.

  2. Step 2: Analyze the config and request

    The location returns 404, so X-Test header is omitted unless always is used.

  3. Final Answer:

    The response returns 404 without X-Test header -> Option D

  4. Quick Check:

    Headers not added on errors without always [OK]
Hint: Headers need 'always' to appear on error responses [OK]
Common Mistakes:
  • Assuming headers always appear on error responses
  • Confusing return status with header presence
  • Expecting 200 OK instead of 404
4. You want to add a security header X-Frame-Options: DENY to all responses including errors. Which nginx config fixes this incorrect snippet?
add_header X-Frame-Options DENY;

But headers are missing on 404 pages.
medium
A. Change to add_header X-Frame-Options DENY always;
B. Add always; on a separate line
C. Use add_header X-Frame-Options DENY on_error;
D. Move add_header inside error_page block

Solution

  1. Step 1: Identify why headers are missing on errors

    By default, add_header skips error responses unless always is added.

  2. Step 2: Fix syntax to include headers on all responses

    Adding always on the same line ensures headers appear even on errors.

  3. Final Answer:

    Change to add_header X-Frame-Options DENY always; -> Option A

  4. Quick Check:

    Use 'always' on same line to add headers on errors [OK]
Hint: Add 'always' on same line to include headers on errors [OK]
Common Mistakes:
  • Placing 'always' on a separate line
  • Using invalid keywords like 'on_error'
  • Moving add_header inside unrelated blocks
5. You want to add two headers: Cache-Control: no-store for all responses, and Strict-Transport-Security: max-age=31536000 only for successful responses (status 200-299). Which nginx config achieves this correctly?
hard
A. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000;
B. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000 always;
C. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000;
D. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000 always;

Solution

  1. Step 1: Understand 'always' effect on headers

    The always flag makes headers appear on all responses including errors.

  2. Step 2: Apply 'always' only to Cache-Control

    We want Cache-Control on all responses, so add always there. For Strict-Transport-Security, omit always to restrict to 2xx responses.

  3. Final Answer:

    add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000; -> Option A

  4. Quick Check:

    'always' for all responses, omit for success-only [OK]
Hint: Use 'always' only for headers needed on errors [OK]
Common Mistakes:
  • Adding 'always' to all headers causing unwanted error headers
  • Omitting 'always' for headers needed on errors
  • Misunderstanding which responses get headers without 'always'