Forum

Looks like headers beginning with "X-" have been removed from CGI output in v10.1.

This is problematic for the Drupal CMS since it is setting its own headers for security. Here is a sample set of response headers that have been removed.

X-Drupal-Ajax-Token: 1
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 8 (https://www.drupal.org)
X-UA-Compatible: IE=edge
x-content-type-options: nosniff

The main one that is causing problems is X-Drupal-Ajax-Token as it is used for verification of XMLHttpRequest responses to prevent cross-site scripting attacks.

More info:
https://api.drupal.org/api/drupal/includes!ajax.inc/function/ajax_set_verification_header/7
https://www.drupal.org/node/2580191

To undo that, remove lines 1057 - 1059 from src/target.c. I will fix this in the next release.

I was going to do exactly that and test today. Any particular reason they were removed in the first place?

Thanks Hugo.

Many of the X- headers are messages meant for the webserver. So, for security reasons I decided to remove them from the final output. Seems I was a bit too careless when I removed them all.

Just recompiled without the offending lines and works as expected. Thanks again.

You'd need to take a "Blacklist" approach. Only remove specific x headers.

Some headers that should definitely be removed and not get sent to the browser:
X-Hiawatha-Cache
X-Sendfile