What are HTTP Headers?

HTTP headers allow clients to pass additional information to the server, and the server to pass additional information about the response to the client, for example, using Content-Type: application/json, the server tells the HTTP client that it has returned JSON.

What is HTTP?

HTTP stands for Hypertext Transfer Protocol. It was created in the early 1990s. Nowadays, almost everything that you see in your browser is transferred to your computer or mobile phone over the HTTP protocol. For example, when you open a web page from a website, your browser has made about 15-30 HTTP requests to the server and received HTTP responses for each request.

What is HTTP Header?

Each HTTP request and response consists of HTTP headers and an HTTP body. HTTP header fields are passed after the request line (or response line). Each HTTP header consists of its case-insensitive name, followed by a colon (:), and then the header value. The header fields consist of a case-insensitive name followed by a colon (':') and then its value. Spaces before the name and value are ignored. Header fields are separated by a carriage return (CR) and line feed (LF) characters (for example Host: reqbin.com).

The information that is sent in HTTP headers may include information about the type and size of data in the request body, compression methods supported by the client and server, the languages that the client can display, the source of the request. The server uses HTTP headers to send size and data type information in the response body, compression method used, caching directives, and cross-origin resource sharing restrictions (CORS headers).

HTTP headers can be grouped by context:

  • Request headers that contain information about the client who is requesting the resource and information about the requested resource itself.
  • Response headers contain additional information about the server, such as its type name or server.
  • Presentation headers contain information about the message body that the client sends to the server or the server returns to the client, such as its MIME type and size, as well as the encoding or compression.

HTTP Headers Example

Below is an example of the HTTP headers that the browser sends to the server when you make a request to the ReqBin echo URL.

HTTP Request Headers Example Run Request
GET /echo/post/json HTTP/1.1
Host: reqbin.com
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate

In this HTTP headers example, the 'Host: reqbin.com' header specifies the domain name to which we are sending the request, Accept-Language: en-US tells the server that our client needs an English version of the document, and the Accept-Encoding: gzip, deflate informs the server that our client can accept a compressed HTTP body.

The server's response to our HTTP request.

HTTP Response Headers Example
HTTP/1.1 200 OK
Content-Length: 19
Content-Type: application/json

{"success":"true"}

The Content-Type: application/json header indicates that the server returned JSON, and the Content-Length: 19 header indicates the size of the JSON in the HTTP response.

HTTP Request Structure

HTTP Request Structure

An HTTP request message has 3 parts.
  • Request line
  • Request Headers
  • Request body
The first line of the HTTP request is called the request line and consists of 3 parts:
  • HTTP Method - Indicates what kind of request it is. The most common methods are GET, POST, and HEAD.
  • The Request Path - is the part of the URL that comes after the host name. For home pages, the request path is /.
  • HTTP protocol part - contains the HTTP string followed by the protocol version.
The request line is followed by one or more lines with HTTP headers in the form of Name: Value pairs. They HTTP headers contain various information about the HTTP request and your browser. The header lines are followed by a portion of the request body, separated from the header lines by two pairs of CR (carriage return) and LF (line feed) symbols.

HTTP Response Structure

HTTP Response Structure

The first line of the HTTP response is called the status line. It is HTTP/1.1 or HTTP/2 followed by a status code and a short message. For example, HTTP/1.1 200 OK means that the server has successfully responded to our request. The status line is followed by one or more lines with HTTP headers in the form of Name: Value pairs, as for an HTTP request.

Size limits for HTTP headers

The HTTP standard does not impose restrictions on the size of each name or the value of the header field or on the number of fields. However, most servers, clients, and proxies impose certain restrictions for practical and security reasons. For example, Apache server by default limits the size of each field to 8 kilobytes, and in one request there can be no more than 100 header fields.

Request Context Headers

  • Host - specifies the domain name of the server and, optionally, the TCP port number. If the port number is not specified, then it is equal to 80 for normal connections and 443 for secure connections.
  • User-Agent - contains a string that describes the type, version, and characteristics of the browser or user client application and allows the server to optimize its response for this device.
  • Referer - the address of the previous web page from which the browser went to the currently requested page. It is often used in analytics systems.

Response Context Headers

  • Server - contains information about the server. Often used in conjunction with the X-Powered-By header.

Authentication Headers

  • WWW-Authenticate header - defines the authentication method that should be used to access the protected resource.
  • Authorization - contains credentials for authenticating the client to the server. For example, Authorization: Bearer {token} is the Bearer Token authorization header.

Caching Headers

  • Age - the time in seconds that the resource has been in the cache.
  • Cache-Control - cache directives for both requests and responses.
  • Expires - the time after which the resource in the cache is considered obsolete.
  • Pragma - used for backward compatibility with HTTP/1.0 caches, where the Cache-Control header is not yet implemented and is implementation-dependent.

Connection Management Headers

  • Connection - indicates whether the client or server wants to keep the connection open after the current HTTP transaction has completed. For example Connection: keep-alive.
  • Keep-Alive - specifies how long a persistent connection should remain open. For example, Keep-Alive: timeout=15.

Cookies Headers

  • Cookie - contains HTTP cookies that the browser sends to the server along with the request.
  • Set-Cookie - contains cookies that the server wants to store in the browser.

Content Information Headers

  • Content-Length - the size of the resource in the body of the HTTP message, in bytes.
  • Content-Type - indicates the media type of the resource in the body of the HTTP message.
  • Content-Encoding - specifies the compression algorithm used for the HTTP body.

Custom HTTP Headers

Custom header fields were usually prefixed with a X- field name, but this convention was deprecated in June 2012 due to the inconvenience caused by custom fields becoming standard.

Custom HTTP header example:
X-Forwarded-For: 39.40.130.50

Common HTTP Headers

The list of common HTTP Headers.
Last updated: Viewed: 1512 times