HTTP headers let the client and the server pass additional information with an HTTP request or response
Header Example
An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. Whitespace before the value is ignored
GET /tutorials/other/ HTTP/1.1
Host: net.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.x 200 OK
Transfer-Encoding: chunked
Date: Sat, 28 Nov 2009 04:36:25 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: W3 Total Cache/0.8
Expires: Sat, 28 Nov 2009 05:36:25 GMT
<!DOCTYPE>
<html>
<head></head><body>EXAMPLE</body>
</html>
Header Types
|
General Header |
Headers applying to both requests and responses but with no relation to the data eventually transmitted in the body |
|---|---|
|
Request Header |
Headers containing more information about the resource to be fetched or about the client itself |
|
Response Header |
Headers with additional information about the response (e.g. server location, server info, etc) |
|
Entity Header |
Headers containing more information about the body of the entity (e.g. content length, MIME-type, etc) |
Headers Types (According to How Proxies Handle Them)
|
End-to-End Headers |
These headers must be transmitted to the final recipient of the message; that is, the server for a request or the client for a response. Intermediate proxies must retransmit end-to-end headers unmodified and caches must store them |
|---|---|
|
Hop-by-Hop Headers |
These headers are meaningful only for a single transport-level connection and must not be retransmitted by proxies or cached. Such headers are: Connection, Keep-Alive, Proxy-Authenticate, Proxy-Authorization, TE, Trailer, Transfer-Encoding and Upgrade. Note that only hop-by-hop headers may be set using the Connection general header |
Header Value Max Size
- Apache 2.0, 2.2: 8K
- Nginx: 4K - 8K
- IIS: varies by version, 8K - 16K
- Tomcat: varies by version, 8K - 48K (?!)
Header Directives
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- HTTP Cookie (Web Cookie, Internet Cookie, Browser Cookie, or Cookie)
- Cross-Origin Request (COR) - Same-Origin Policy (SOP) - Cross-Origin Resource Sharing (CORS) - Cross-Origin Read Blocking (CORB)
- CSP vs SOP/CORS
- HTTP - Headers - Connection & Keep-Alive
- HTTP - Headers - Content-Security-Policy (CSP)
- HTTP - Headers - Content-Type
- HTTP - Headers - ETag
- HTTP - Headers - Host vs Origin
- HTTP - Headers - WWW-Authenticate & Authorization