Adding some information after some time, since I came across this question while researching something related.
I believe that the status header field was originally invented as part of the CGI specification, RFC 3875:
https://tools.ietf.org/html/rfc3875#section-6.3.3
Quote:
The Status header field contains a 3-digit integer result code that indicates the level of success of the script attempt to handle the request. Status = "Status:" status-code SP reason-phrase NL status-code = "200" | "302" | "400" | "501" | extension-code extension-code = 3digit reason-phrase = *TEXT
It allows a CGI script to return a status code to a web server, which overrides the default value specified in the HTTP status bar. Typically, the server buffers the result from the script and emits a new header for the client. This is a valid HTTP header that begins with the modified HTTP status bar and omits the "Status:" header field (plus some other conversions provided by the RFC).
So, all your examples are valid from a CGI script, but only the first one is really valid in the HTTP header. The last two are valid only from a CGI script (or, possibly, a FastCGI application).
A CGI script can also run in "incompatible header" (NPH) mode when it generates a full and valid HTTP header, which the web server transmits to the client verbatim. Thus, this should not include the Status header field:
Note that I am interested in what status should win if the NPH script is a little erroneous and emits a Status: header field, possibly in addition to the HTTP status bar. I cannot find any clear directions, so I suspect that it is left to implement what parses the output, whether it be a client or a server.
wu-lee
source share