Why does server respond without headers and body when http status code 500 is set in php-fpm on nginx?

Question

In php-fpm(5.6) on nginx(1.20.1), I'm making an API that responds with http status code 500, some headers and body of json type.

header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header("Access-Control-Allow-Credentials: true");
header("Content-Type: application/json");

http_response_code(500);
die(json_encode([
  'errorMsg' => 'Something went wrong',
]));

But it seems the server responds without the headers and the body as clients(at least Chrome browser) don't receive them.

I tried setting a http status lower than 500 like 40x, and it made the server respond with the headers and the body as I expected.

Do other servers/applications also omit headers and body in response with http status 50x? Or it's just a problem specific to either php or nginx?

Answer 1

Your code works if you comment the first line, which generates an error, with the consequence that no header can be sent after output.

<?
//header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header("Access-Control-Allow-Credentials: true");
header("Content-Type: application/json");

http_response_code(500);
die(json_encode([
  'errorMsg' => 'Something went wrong',
]));
?>

Of course, in the response there is no Access-Control-Allow-Origin, but we can see :

and the correct output:

On my tests platform (php 8.11), $_SERVER['HTTP_ORIGIN'] generates the following error :

Warning: Undefined array key "HTTP_ORIGIN"

Please have a look at this answer to understand why.

Of course, if I set ini_set('display_errors','Off') as first line, all seems working fine but no Access-Control-Allow-Origin header is more present.