The content-length header is removed by Apache when set by scripts
Apache removes the Content-Length header set by scripts, affecting response handling and performance.
By. Jacob
Edited: 2025-03-21 18:19
This is a rather mind-boggling situation to find yourself in. I have a highly customized setup that used Traefik to manage my Virtual Hosts, including automatic renewal of my Let's Encrypt certificates — it is a step up from manually managing numerous Apache v-host configuration files, I can tell you that much!
Most importantly. Since I am running this in a Docker environment, I can easily switch out Apache with Nginx if I want to. Perhaps the time is coming when I am finally moving away from Apache? I don't really care what server I am using anymore, as I feel comfortable with both.
The cause of the problem is that Apache quietly removed the content-length header for scripts in a previous update, so if you had a PHP script somehow setting it, it would just be ignored (disappear completely from the request headers):
header('content-length: 10301');
This only seem to happen when using mod_proxy_fcgi, and not when using mod_php.
I have not looked at my HTTP headers for some time, so if a response header just disappears, that is not something I typically notice. You also don't expect it to happen — AND you sure don't expect it to be an official act of sabotage from Apache.
Apparently there was some update to Apache that removed the content-length response header when it was being set by PHP. In order to re-enable it, you have to add this to your Apache configuration file:
SetEnv ap_trust_cgilike_cl 1
The reason it was removed was apparently to prevent a denial of service attack. The content-length header is not only sent by web servers, it can also be sent by clients when performing HTTP POST requests, and that's where the security issue occurred.
Of course, you can easily test for this with curl:
curl -I https://beamtic.com/files/alphabet-permutations/alphabet-three-letter-permutations.txt
Tell us what you think: