4.6.x common.inc drupal_set_header($header = NULL)
4.7.x common.inc drupal_set_header($header = NULL)
5.x common.inc drupal_set_header($header = NULL)
6.x common.inc drupal_set_header($header = NULL)

Set an HTTP response header for the current page.

Note: When sending a Content-Type header, always include a 'charset' type, too. This is necessary to avoid security bugs (e.g. UTF-7 XSS).

Note: No special sanitizing needs to be done to headers. However if a header value contains a line break a PHP warning will be thrown and the header will not be set.

15 calls to drupal_set_header()
blogapi_rsd in modules/blogapi/blogapi.module
drupal_access_denied in includes/common.inc
Generates a 403 error if the request is not allowed.
drupal_get_headers in includes/common.inc
Get the HTTP response headers for the current page.
drupal_json in includes/common.inc
Return data in JSON format.
drupal_not_found in includes/common.inc
Generates a 404 error if the request can not be handled.

... See full list


includes/common.inc, line 150
Common functions that many Drupal modules will need to reference.


function drupal_set_header($header = NULL) {

  // We use an array to guarantee there are no leading or trailing delimiters.
  // Otherwise, header('') could get called when serving the page later, which
  // ends HTTP headers prematurely on some PHP versions.
  static $stored_headers = array();
  if (strlen($header)) {

    // Protect against header injection attacks if PHP is too old to do that.
    if (version_compare(PHP_VERSION, '5.1.2', '<') && (strpos($header, "\n") !== FALSE || strpos($header, "\r") !== FALSE)) {

      // Use the same warning message that newer versions of PHP use.
      trigger_error('Header may not contain more than a single header, new line detected', E_USER_WARNING);
    else {
      $stored_headers[] = $header;
  return implode("\n", $stored_headers);


Anonymous’s picture

In Drupal 7, the equivalent function is drupal_add_http_header().

johnvsc’s picture

putting this here so that when I need it again, i will find it i a logical place :P

/* setting up the site to no cache data */
function some_module_name_set_page_headers(){
  drupal_set_header("CacheControl: no-cache");
  drupal_set_header("Pragma: no-cache");
  drupal_set_header("Expires: -1");
Schnitzel’s picture

it is Cache-Control not CacheControl :)

johnvsc’s picture

Because I live in the theme layer ->

// put this in template.php
function  theme_name_page_headers(){
  drupal_set_html_head('<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">');
  drupal_set_html_head('<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">');

This is very important: you need to call it from the preprocessing page function:

// also in template.php

function theme_name_preprocess_page(&$vars, $hook) {

  $vars['head'] =  drupal_get_html_head();

Yoshi’s picture

In case you come across this in search like I did the equivalent in D7 is drupal_add_http_header.


sumachaa’s picture

Please let me know if there is any way to add the http_response_code to the header function