Веб сервера, такие как NGINX и Apache отбрасывают заголовки которые содержат в своем имени _ (подчеркивание).
В документаций NGINX написано следующее:
Missing (disappearing) HTTP Headers
If you do not explicitly set
underscores_in_headers on;, NGINX will silently drop HTTP headers with underscores (which are perfectly valid according to the HTTP standard). This is done in order to prevent ambiguities when mapping headers to CGI variables as both dashes and underscores are mapped to underscores during that process.
В документаций Apache написано следующее:
Passing broken headers to CGI scripts
Starting with version 2.4, Apache is more strict about how HTTP headers are converted to environment variables in
mod_cgiand other modules: Previously any invalid characters in header names were simply translated to underscores. This allowed for some potential cross-site-scripting attacks via ? header injection (see Unusual Web Bugs, slide 19/20).If you have to support a client which sends broken headers and which can’t be fixed, a simple workaround involving
mod_setenvifandmod_headersallows you to still accept these headers:# # The following works around a client sending a broken Accept_Encoding # header. # SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1 RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding