Custom Response Headers

Lesson 23 of 25 3 min read
  • JNext lesson
  • KPrevious lesson
  • FSearch lessons
  • EscClear search

Custom redirect headers let your short links carry metadata: CORS headers for API-style links, cache directives, security headers, or correlation IDs your downstream analytics can pick up. GT Link Manager exposes the full header array through the gtlm_headers filter, and this lesson shows the patterns worth copying.

Requirements

  • GT Link Manager 1.5+ installed and active
  • No external services needed

Installation

  • Add the snippet below to your theme’s functions.php or a site-specific plugin
  • Customize the headers based on your needs — the snippet includes four ready-to-use examples

The Code

<?php
/**
 * GT Link Manager - Custom Response Headers
 *
 * Add custom HTTP headers to redirect responses. Useful for:
 * - CORS headers for API-like short links
 * - Security headers
 * - Custom cache directives
 * - Tracking headers for downstream analytics
 *
 * Uses the `gtlm_headers` filter to modify headers before they are sent.
 */

defined( 'ABSPATH' ) || exit;

add_filter( 'gtlm_headers', 'gtlm_custom_headers', 10, 3 );

/**
 * Add custom headers to redirect responses.
 *
 * @param array  $headers    Existing headers (key => value).
 * @param array  $link       Link data.
 * @param string $match_slug Matched slug.
 * @return array Modified headers.
 */
function gtlm_custom_headers( array $headers, array $link, string $match_slug ): array {

	// ── Example 1: Add a unique click ID for downstream tracking ─────────────
	// Useful when the destination receives the redirect and wants to correlate
	// the click back to this redirect event.
	$headers['X-GTLM-Click-ID'] = wp_generate_uuid4();

	// ── Example 2: CORS headers for short links used in API contexts ─────────
	// Uncomment if your short links are fetched via JavaScript (e.g., AJAX).
	// $headers['Access-Control-Allow-Origin']  = '*';
	// $headers['Access-Control-Allow-Methods'] = 'GET';

	// ── Example 3: Security headers ──────────────────────────────────────────
	// These are good defaults. The redirect itself is fast, but some crawlers
	// may inspect headers.
	$headers['X-Content-Type-Options'] = 'nosniff';
	$headers['Referrer-Policy']        = 'no-referrer-when-downgrade';

	// ── Example 4: Custom header per category ────────────────────────────────
	// Tag redirects so downstream systems know the link category.
	if ( ! empty( $link['category_id'] ) ) {
		$headers['X-GTLM-Category'] = (string) $link['category_id'];
	}

	return $headers;
}

How It Works

  • Uses the gtlm_headers filter to modify HTTP headers before they are sent with the redirect response
  • Receives the existing headers array, link data, and matched slug as parameters
  • Returns the modified headers array — add, remove, or change any header

Included Examples

  • Click ID header — Adds a X-GTLM-Click-ID UUID header so the destination can correlate the click back to this redirect event
  • CORS headers — Commented out by default. Uncomment if your short links are fetched via JavaScript/AJAX
  • Security headers — Adds X-Content-Type-Options: nosniff and a sensible Referrer-Policy
  • Category header — Sends the link’s category ID as X-GTLM-Category so downstream systems can route or tag based on category

Configuration Notes

Modify the function to add any headers your infrastructure requires. Headers are set just before the Location header and the redirect, so they travel with the 301/302/307 response.

Headers compose cleanly with the other redirect-time hooks in the hooks reference. If you’re tagging requests for analytics correlation, the UTM passthrough lesson handles the query-string side.