Bird
Raised Fist0
Nginxdevops~10 mins

Adding response headers (add_header) in Nginx - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Adding response headers (add_header)
Start nginx config
Read add_header directive
Store header name and value
On response generation
Attach header to response
Send response with added headers
End
nginx reads the add_header directive in config, stores the header info, then adds it to each response before sending.
Execution Sample
Nginx
add_header X-Custom-Header "HelloWorld";

location = / {
    add_header Cache-Control "no-cache";
}
This config adds two headers: X-Custom-Header globally and Cache-Control only for / location.
Process Table
StepDirective ReadHeader NameHeader ValueScopeAction
1add_header X-Custom-Header "HelloWorld";X-Custom-HeaderHelloWorldhttp (global)Store header for all responses
2add_header Cache-Control "no-cache";Cache-Controlno-cachelocation = /Store header for / responses
3Request to /---Attach X-Custom-Header and Cache-Control headers to response
4Request to /about.html---Attach only X-Custom-Header header to response
5Request to /api/data---Attach only X-Custom-Header header to response
💡 All requests processed; headers added according to scope.
Status Tracker
VariableStartAfter Step 1After Step 2Final
Headers Stored{}{"X-Custom-Header": "HelloWorld"}{"X-Custom-Header": "HelloWorld", "Cache-Control": "no-cache" (location = /)}{"X-Custom-Header": "HelloWorld" globally, "Cache-Control": "no-cache" for / location}
Key Moments - 2 Insights
Why does the Cache-Control header only appear on responses for the / location?
Because in step 2, the add_header directive for Cache-Control is inside the location = / block, so it applies only to requests matching that location, as shown in step 3 and 4 of the execution_table.
Does the global add_header directive apply to all requests?
Yes, the global add_header directive (step 1) applies to all responses unless overridden or supplemented by location-specific headers, as seen in steps 3, 4, and 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, which headers are added to the response for a request to /api/data?
ABoth X-Custom-Header and Cache-Control
BCache-Control only
CX-Custom-Header only
DNo headers added
💡 Hint
Check step 5 in the execution_table where /api/data request is handled.
At which step is the Cache-Control header stored for the / location?
AStep 2
BStep 1
CStep 3
DStep 4
💡 Hint
Look at the directive read column in the execution_table.
If you remove the global add_header directive, what happens to the X-Custom-Header in responses?
AIt still appears on all responses
BIt does not appear on any response
CIt appears only on / location responses
DIt appears only on /api/data responses
💡 Hint
Refer to variable_tracker and execution_table steps 1 and 3-5.
Concept Snapshot
add_header HEADER_NAME "VALUE";

- Adds a response header to HTTP replies.
- Can be set globally or inside location blocks.
- Location headers override or add to global headers.
- Headers appear in client responses accordingly.
Full Transcript
This visual execution shows how nginx processes add_header directives. First, it reads the global add_header directive and stores the header name and value. Then it reads location-specific add_header directives and stores those separately. When a request comes in, nginx attaches the stored headers to the response based on the request's location. For example, the global header X-Custom-Header is added to all responses, while Cache-Control is added only to responses for the / location. This step-by-step trace helps understand how headers are applied depending on configuration scope.

Practice

(1/5)
1. What is the main purpose of the add_header directive in nginx?
easy
A. To configure server listening ports
B. To add extra information to HTTP responses
C. To redirect HTTP requests to HTTPS
D. To define server root directory

Solution

  1. Step 1: Understand the role of add_header

    The add_header directive is used to add extra HTTP headers to responses sent by nginx.

  2. Step 2: Compare with other options

    Redirecting requests, configuring ports, and defining root directories are unrelated to adding headers.

  3. Final Answer:

    To add extra information to HTTP responses -> Option B

  4. Quick Check:

    add_header adds headers [OK]
Hint: Remember: add_header adds info to HTTP responses [OK]
Common Mistakes:
  • Confusing add_header with redirect directives
  • Thinking add_header sets server ports
  • Assuming add_header changes root directory
2. Which of the following is the correct syntax to add a custom header named X-Custom-Header with value MyValue in nginx?
easy
A. add_header "X-Custom-Header: MyValue";
B. add_header X-Custom-Header = MyValue;
C. add_header X-Custom-Header MyValue;
D. add_header X-Custom-Header => MyValue;

Solution

  1. Step 1: Recall nginx add_header syntax

    The correct syntax is add_header name value; without extra symbols like = or =>.

  2. Step 2: Validate each option

    add_header X-Custom-Header MyValue; matches correct syntax. Options A, C, and D use invalid syntax with quotes or symbols.

  3. Final Answer:

    add_header X-Custom-Header MyValue; -> Option C

  4. Quick Check:

    Syntax is add_header name value; [OK]
Hint: Use simple syntax: add_header name value; [OK]
Common Mistakes:
  • Adding quotes around header name and value
  • Using = or => symbols incorrectly
  • Missing semicolon at the end
3. Given this nginx config snippet inside a server block:
add_header X-Test "Hello";

location /error {
  return 404;
}

What happens when a client requests /error?
medium
A. The server throws a configuration error
B. The response includes header X-Test: Hello with 404 status
C. The response returns 200 OK with X-Test header
D. The response returns 404 without X-Test header

Solution

  1. Step 1: Understand default add_header behavior on errors

    By default, add_header does NOT add headers on error responses like 404.

  2. Step 2: Analyze the config and request

    The location returns 404, so X-Test header is omitted unless always is used.

  3. Final Answer:

    The response returns 404 without X-Test header -> Option D

  4. Quick Check:

    Headers not added on errors without always [OK]
Hint: Headers need 'always' to appear on error responses [OK]
Common Mistakes:
  • Assuming headers always appear on error responses
  • Confusing return status with header presence
  • Expecting 200 OK instead of 404
4. You want to add a security header X-Frame-Options: DENY to all responses including errors. Which nginx config fixes this incorrect snippet?
add_header X-Frame-Options DENY;

But headers are missing on 404 pages.
medium
A. Change to add_header X-Frame-Options DENY always;
B. Add always; on a separate line
C. Use add_header X-Frame-Options DENY on_error;
D. Move add_header inside error_page block

Solution

  1. Step 1: Identify why headers are missing on errors

    By default, add_header skips error responses unless always is added.

  2. Step 2: Fix syntax to include headers on all responses

    Adding always on the same line ensures headers appear even on errors.

  3. Final Answer:

    Change to add_header X-Frame-Options DENY always; -> Option A

  4. Quick Check:

    Use 'always' on same line to add headers on errors [OK]
Hint: Add 'always' on same line to include headers on errors [OK]
Common Mistakes:
  • Placing 'always' on a separate line
  • Using invalid keywords like 'on_error'
  • Moving add_header inside unrelated blocks
5. You want to add two headers: Cache-Control: no-store for all responses, and Strict-Transport-Security: max-age=31536000 only for successful responses (status 200-299). Which nginx config achieves this correctly?
hard
A. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000;
B. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000 always;
C. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000;
D. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000 always;

Solution

  1. Step 1: Understand 'always' effect on headers

    The always flag makes headers appear on all responses including errors.

  2. Step 2: Apply 'always' only to Cache-Control

    We want Cache-Control on all responses, so add always there. For Strict-Transport-Security, omit always to restrict to 2xx responses.

  3. Final Answer:

    add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000; -> Option A

  4. Quick Check:

    'always' for all responses, omit for success-only [OK]
Hint: Use 'always' only for headers needed on errors [OK]
Common Mistakes:
  • Adding 'always' to all headers causing unwanted error headers
  • Omitting 'always' for headers needed on errors
  • Misunderstanding which responses get headers without 'always'