What is HTTP header?
Why we need it?
How we use it?
Where you define header?
Headers
HTTP header is information about request and response. It is just represented by a case-sensitive string.
It has been available since HTTP version 1 and allows us to send data beyond hypertext. Before that, HTTP does not have header and it is only for hypertext. There are 4 groups of HTTP header.
- general header: Request and response not related to body which is transmitted.
- request header: Additional information about request (client).
- response header: Additional information about response (server).
- entity header: Entity header contains more information about the body of the entity.
Why we need it?
Header is used to have server or client know about the information of content such as length and content type, cache info, and access control so on.
Infomational directive (request & response)
| Directive |
description |
example |
|
| Date |
The date and time that the message was originated (in "HTTP-date" format as defined by RFC 7231 Date/Time Formats). |
Date: Tue, 15 Nov 1994 08:12:31 GMT |
Permanent |
| Referer |
This is the address of the previous web page from which a link to the currently requested page was followed. |
Referer: http://en.wikipedia.org/wiki/Main_Page |
Permanent |
| Upgrade |
Ask the server to upgrade to another protocol. |
Upgrade: HTTP/2.0, HTTPS/1.3, IRC/6.9, RTA/x11, websocket |
Permanen |
| Via |
Informs the server of proxies through which the request was sent. |
Via: 1.0 fred, 1.1 example.com (Apache/1.1) |
Permanent |
| Warning |
A general warning about possible problems with the entity body. |
Warning: 199 Miscellaneous warning |
Permanent |
Infomational directive (request)
| Directive |
description |
example |
|
| From |
The email address of the user making the request. |
From: [email protected] |
Permanent |
| Host |
The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. The port) number may be omitted if the port is the standard port for the service requested.[11] Mandatory since HTTP/1.1. |
Host: en.wikipedia.org:8080``Host: en.wikipedia.org |
Permanent |
| Origin |
Initiates a request for cross-origin resource sharing(asks server for an 'Access-Control-Allow-Origin' response field). |
Origin: http://www.example-social-network.com |
Permanent: standard |
| User-Agent |
The user agent string the user agent. |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/21.0 |
Permanent |
Infomational directive (response)
| Directive |
description |
example |
|
| Server |
A name for the server |
Server: Apache/2.4.1 (Unix) |
Permanent |
| Status |
CGI header field specifying the status of the HTTP response. Normal HTTP responses use a separate "Status-Line" instead, defined by |
Status: 200 OK |
Not listed as a [registered field name |
| Alt-Svc |
A server uses "Alt-Svc" header (meaning Alternative Services) to indicate that its resources can also be accessed at a different network location (host or port) or using a different protocol |
Alt-Svc: h2="http2.example.com:443"; ma=7200 |
Permanent |
Content Negotiation
Content Negotiation (response & request)
| Header |
Description |
Value |
Example |
| Connection |
Control options for the current connection and list of hop-by-hop request fields. |
Connection: keep-alive``Connection: Upgrade |
Permanent |
| Range |
Request only part of an entity. Bytes are numbered from 0. See Byte serving. |
Range: bytes=500-999 |
Permanent |
| Content-Range |
How many bytes transferring => Content-Range: bytes 0-999/12345 |
|
|
| Trailer |
The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer coding. |
Trailer: Max-Forwards |
Permanent |
| Transfer-Encoding |
The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity. |
Transfer-Encoding: chunked |
Permanent |
Content Negotiation (Request)
| Directive |
Description |
Value |
Example |
|
| Accept-Ranges |
What partial content range types this server supports via byte serving |
Accept-Ranges: bytes |
Permanent |
|
| Content-Disposition |
An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters |
Content-Disposition: attachment; filename="fname.ext" |
Permanent |
|
| Content-Encoding |
The type of encoding used on the data. See HTTP compression. |
Content-Encoding: gzip |
Permanent |
|
| Content-Length |
The length of the response body in octets) (8-bit bytes) |
Content-Length: 348 |
Permanent |
|
| Content-Location |
An alternate location for the returned data |
Content-Location: /index.htm |
Permanent |
|
| Content-Range |
Where in a full body message this partial message belongs |
Content-Range: bytes 21010-47021/47022 |
Permanent |
|
| Content-Type |
The MIME type of this content |
Content-Type: text/html; charset=utf-8 |
Permanent |
|
| Expect |
Indicates that particular server behaviors are required by the client. |
Expect: 100-continue |
Permanen |
|
|
|
|
|
Content Negotiation (response)
| Header |
Description |
Value |
Example |
| Accept |
Content-Types that are acceptable for the response. See Content negotiation. |
Accept: text/plain |
Permanent |
| Accept-Charset |
Character sets that are acceptable. |
Accept-Charset: utf-8 |
Permanent |
| Accept-Encoding |
List of acceptable encodings. See HTTP compression. |
Accept-Encoding: gzip, deflate |
Permanent |
| Accept-Language |
List of acceptable human languages for response. See Content negotiation. |
Accept-Language: en-US |
Permanent |
| Accept-Datetime |
Acceptable version in time. |
Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT |
Provisional |
| Content-Length |
The length of the request body in octets) (8-bit bytes). |
Content-Length: 348 |
Permanent |
| Content-MD5 |
A Base64-encoded binary MD5 sum of the content of the request body. |
Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ== |
Obsolete |
| Content-Type |
The MIME type of the body of the request (used with POST and PUT requests). |
Content-Type: application/x-www-form-urlencoded |
Permanent |
Cache
Cache (Request & Response)
| Directive |
Description |
Value |
Example |
|
|
| Pragma |
Implementation-specific fields that may have various effects anywhere along the request-response chain. |
Pragma: no-cache |
|
|
|
| Cache-Control |
Used to specify directives that must be obeyed by all caching mechanisms along the request-response chain. |
Cache-Control: no-cache |
Permanent |
|
Cache (Request)
| Header |
Description |
Value |
Example |
| If-Match |
Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it. |
If-Match: "737060cd8c284d8af7ad3082f209582d" |
Permanent |
| If-Modified-Since |
Allows a 304 Not Modified to be returned if content is unchanged. |
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
Permanent |
| If-None-Match |
Allows a 304 Not Modified to be returned if content is unchanged, see HTTP ETag. |
If-None-Match: "737060cd8c284d8af7ad3082f209582d" |
Permanent |
| If-Range |
If the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity. |
If-Range: "737060cd8c284d8af7ad3082f209582d" |
Permanent |
| If-Unmodified-Since |
Only send the response if the entity has not been modified since a specific time. |
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
Permanent |
Cache (Response)
| Directive |
Description |
Value |
Example |
| Age |
The age the object has been in a proxy cache in seconds |
Age: 12 |
Permanent |
| Accept-Patch |
Specifies which patch document formats this server supports |
Accept-Patch: text/example;charset=utf-8 |
Permanent |
| ETag |
An identifier for a specific version of a resource, often a message digest |
ETag: "737060cd8c284d8af7ad3082f209582d" |
Permanent |
| Last-Modified |
The last modified date for the requested object (in "HTTP-date" format as defined by RFC 7231) |
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
Permanent |
| Vary |
Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server. |
Example 1: Vary: *Example 2: Vary: Accept-Language |
Permanent |
If you disable cache on Chrome dev tool, pragma: 'no-cache' and 'cache-control': 'no-cache'will be added automatically.
Cookie
HTTP itself is stateless protocol which means doesn't store any data on itself. However, sometimes you wanna keep information such as who the current user is or shopping cart. Then you can use Cookie,
Cookie (Response)
| Directive |
Description |
Value |
Example |
| Expires |
Gives the date/time after which the response is considered stale (in "HTTP-date" format as defined by RFC 7231) |
Expires: Thu, 01 Dec 1994 16:00:00 GMT |
Permanent: standard |
| Set-Cookie |
An HTTP cookie |
Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 |
Permanent: standard |
Cookie (Request)
| Directive |
Description |
Value |
Example |
| cookie |
An HTTP cookie previously sent by the server with Set-Cookie (below). |
Cookie: $Version=1; Skin=new; |
Permanent: standard |
1. request to server
GET / HTTP/1.1
Host: google.com
2. response from server
HTTP/1.1 200 OK
Date: Thu, 12 Jul 2012 07:12:20 GMT
Server: Apache
<Set-Cookie: uid=2113134; path=/; expires=Wed>
Content-Type: text/plain; charset=UTF-8
3. request agiain
GET /users/123 HTTP1.1
Host: google.com
Cookie: sid=2113134
http://www.tohoho-web.com/ex/http.htm#virtualHost
Authorization
Authorization (Request)
| Directive |
Description |
Value |
Example |
| Authorization |
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header. |
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
Permanent |
| Proxy-Authorization |
Authorization credentials for connecting to a proxy. |
Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
Permanen |
Authorization: <scheme> <credentials>
Proxy-Authorization: <scheme> <credentials>
Authentication schemes
- Basic (see RFC 7617, base64-encoded credentials. See below for more information.),
- Bearer (see RFC 6750, bearer tokens to access OAuth 2.0-protected resources),
- Digest (see RFC 7616, only md5 hashing is supported in Firefox, see bug 472823 for SHA encryption support),
- HOBA (see RFC 7486 (draft), HTTP Origin-Bound Authentication, digital-signature-based),
- Mutual (see draft-ietf-httpauth-mutual),
- AWS4-HMAC-SHA256 (see AWS docs).
Authorization (Response)
| Directive |
Description |
Value |
Example |
|
| Proxy-Authenticate |
Request authentication to access the proxy. |
|
Proxy-Authenticate: Basic |
Permanent |
| WWW-Authenticate |
Indicates the authentication scheme that should be used to access the requested entity. |
|
WWW-Authenticate: Basic |
Permanent |
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
Access control (response)
| Directive |
Description |
Value |
Example |
|
| Access-Control-Allow-Origin |
Specifying which web sites can participate in cross-origin resource sharing |
|
Access-Control-Allow-Origin: * |
Provisional |
| Access-Control-Allow-Headers |
The Access-Control-Allow-Headers response header is used in response to a preflight request to indicate which HTTP headers will be available via Access-Control-Expose-Headerswhen making the actual request. |
|
Access-Control-Allow-Headers: X-Custom-Header |
|
| Access-Control-Allow-Methods |
The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. |
string |
Access-Control-Allow-Methods: POST, GET, OPTIONS |
|
| Access-Control-Allow-Credentials |
|
true (case-sensitive) or emit header rather than setting value to false. |
Access-Control-Allow-Credentials: true |
|
| Access-Control-Expose-Headers |
The Access-Control-Expose-Headersresponse header indicates which headers can be exposed as part of the response by listing their names. |
|
Access-Control-Expose-Headers: <header-name>, <header-name> defaults Cache-Control, Content-Language, Content-Type, Expirese,Last-Modified, Pragma |
|
| Access-Control-Max-Age |
The Access-Control-Max-Age response header indicates how long the results of a preflight request can be cached. |
number |
|
|
| Allow |
Valid methods for a specified resource. To be used for a 405 Method not allowed |
GET, POST, PUT, DELETE, OPTIONS |
Allow: GET, HEAD |
Permanent |
| Accept-Patch |
Specifies which patch document formats this server supports |
|
Accept-Patch: text/example;charset=utf-8 |
Permanent |
| X-Frame-Options |
Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location |
|
X-Frame-Options: deny |
Obsolete |
Common no-standard request fields
- X-Fowarder-For
- X-Forwarded-Host
- Front-End-Https
- X-ATT-DeviceId
- X-Wap-Profile
| Directive |
Description |
Value |
Example |
| Link |
Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988 |
Link: </feed>; rel="alternate"[36] |
Permanent |
| Location |
Used in redirection, or when a new resource has been created. |
Location: http://www.w3.org/pub/WWW/People.html |
Permanent |
| P3P |
|
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." |
Permanent |
| Public-Key-Pins[38] |
HTTP Public Key Pinning, announces hash of website's authentic TLS certificate |
Public-Key-Pins: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; |
Permanent |
| Refresh |
Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. |
Refresh: 5; url=http://www.w3.org/pub/WWW/People.html |
Proprietary and non-standard: a header extension introduced by Netscape and supported by most web browsers. |
| Retry-After |
If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date. |
Retry-After: 120 Retry-After: Fri, 07 Nov 2014 23:59:59 GMT |
Permanent |
| Strict-Transport-Security |
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains. |
Strict-Transport-Security: max-age=16070400; includeSubDomains |
Permanent: standard |
| TSV |
Tracking Status Value, value suggested to be sent in response to a DNT(do-not-track), possible values:"!" — under construction"?" — dynamic"G" — gateway to multiple parties"N" — not tracking"T" — tracking"C" — tracking with consent"P" — tracking only if consented"D" — disregarding DNT"U" — updated |
TSV: ? |
Permanent |
http://stackoverflow.com/questions/9197745/what-exactly-is-an-http-entity**