function drupal_page_header

Sets HTTP headers in preparation for a page response.

Authenticated users are always given a 'no-cache' header, and will fetch a fresh page on every request. This prevents authenticated users from seeing locally cached pages.

ETag and Last-Modified headers are not set per default for authenticated users so that browsers do not send If-Modified-Since headers from authenticated user pages. drupal_serve_page_from_cache() will set appropriate ETag and Last-Modified headers for cached pages.

See also


2 calls to drupal_page_header()
install_display_output in includes/
Displays themed installer output and ends the page request.
_drupal_bootstrap_page_header in includes/
Invokes hook_boot(), initializes locking system, and sends HTTP headers.


includes/, line 1577


function drupal_page_header() {
    $headers_sent =& drupal_static(__FUNCTION__, FALSE);
    if ($headers_sent) {
        return TRUE;
    $headers_sent = TRUE;
    $default_headers = array(
        'Expires' => 'Sun, 19 Nov 1978 05:00:00 GMT',
        'Cache-Control' => 'no-cache, must-revalidate',
        // Prevent browsers from sniffing a response and picking a MIME type
        // different from the declared content-type, since that can lead to
        // XSS and other vulnerabilities.
'X-Content-Type-Options' => 'nosniff',

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.