如何自訂 HTTP header 的值並取值

HTTP 超文本傳輸協定區分 header 和 body 兩個部份,我們可以使用下列方式單獨取出 header 來查看

ben@ben-UX305CA:~$ curl --head https://jsonplaceholder.typicode.com/posts/1
HTTP/1.1 200 OK
Date: Fri, 21 Jul 2017 02:09:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 292
Connection: keep-alive
Set-Cookie: __cfduid=d202b5717ee9bfe89c339aa98c18de2141500602950; expires=Sat, 21-Jul-18 02:09:10 GMT; path=/; domain=.typicode.com; HttpOnly
X-Powered-By: Express
Vary: Origin, Accept-Encoding
Access-Control-Allow-Credentials: true
Cache-Control: public, max-age=14400
Pragma: no-cache
Expires: Fri, 21 Jul 2017 06:09:10 GMT
X-Content-Type-Options: nosniff
Etag: W/"124-yiKdLzqO5gfBrJFrcdJ8Yq0LGnU"
Via: 1.1 vegur
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 381a9dd9de540d73-SJC

如果我們自己開發 API 時,但又希望只有擁有合法的 API KEY 的使用者才能使用該 API,我們可以自訂 header 參數,把 API KEY 加到 header 裡面。

以下是 client 端的程式碼:

$url = 'http://172.17.0.11/apikey/';
// $query = urlencode('where={"steps":9243}');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt(
    $ch, 
    CURLOPT_HTTPHEADER,
    array(
        'X-Parse-Application-Id: myApplicationID',
        'X-Parse-REST-API-Key: myRestAPIKey',
        'Content-Type: application/json'
    )
);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);

echo $result;

再來我們可以在該 API 頁面先做簡單測試,看可不可以取得自訂的 header,因為 apache 版本的關係,建議使用方法1 比較方便。

以下是 Server API 端的程式碼:

方法1:

$header = apache_request_headers();
echo '<pre>';
print_r($header);
echo '</pre>';
die();

方法1 結果:

Array
(
    [Host] => 172.17.0.11
    [Accept] => */*
    [X-Parse-Application-Id] => myApplicationID
    [X-Parse-REST-API-Key] => myRestAPIKey
    [Content-Type] => application/json
)

方法2:

echo '<pre>';
print_r($_SERVER);
echo '</pre>';
die();

方法2 結果:(注意-變成_,且前面自動加入HTTP)

Array
(
    [HTTP_HOST] => 172.17.0.11
    [HTTP_ACCEPT] => */*
    [HTTP_X_PARSE_APPLICATION_ID] => myApplicationID
    [HTTP_X_PARSE_REST_API_KEY] => myRestAPIKey
    [CONTENT_TYPE] => application/json
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => 
Apache/2.2.15 (CentOS) Server at 172.17.0.11 Port 80


    [SERVER_SOFTWARE] => Apache/2.2.15 (CentOS)
    [SERVER_NAME] => 172.17.0.11
    [SERVER_ADDR] => 172.17.0.11
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => 172.17.0.11
    [DOCUMENT_ROOT] => /var/www/html
    [SERVER_ADMIN] => root@localhost
    [SCRIPT_FILENAME] => /var/www/html/apikey/index.php
    [REMOTE_PORT] => 45894
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /apikey/
    [SCRIPT_NAME] => /apikey/index.php
    [PHP_SELF] => /apikey/index.php
    [REQUEST_TIME_FLOAT] => 1500603476.817
    [REQUEST_TIME] => 1500603476
)

一旦可以順利取得值後,我們就可以用來判斷是否有權限來執行該 API,甚至可以利用資料庫來增加 API KEY 的使用期限,一旦過期就無法使用等功能。