HTTP Headers

HTTP headers let the client pass important information about the request to the server, and the server to pass important information about the response to the client.

This information may include the size and type of data in the request body, supported compression methods by the client, which languages the client can display, the origin of the request (CORS headers). The server uses HTTP headers to send information about the size and type of data in the response body, the compression method used, cache directives, and cross-origin resource sharing restrictions (CORS headers).

HTTP header fields are passed after the request line (or response line). The header fields consist of a case-insensitive name followed by a colon (':') and then its value. Spaces before the name and value are ignored. Header fields are separated by a carriage return (CR) and line feed (LF) characters (for example Host: reqbin.com).

Request Headers Example Live Request
GET /echo/post/json HTTP/1.1
Host: reqbin.com
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate

Response Headers Example
HTTP/1.1 200 OK
Content-Length: 19
Content-Type: application/json

{"success":"true"}


HTTP Header Types

HTTP headers can be grouped according to their context in four types:

  • General Headers
    These headers apply to both the request and the response but are not related to the data transmitted in the body.
  • Request Headers
    Contain additional information about the client or requested resource.
  • Response Headers
    Contain additional information about the server response.
  • Entity Headers
    Contain information about the request or response body, such as the length or MIME type.

Size limits for HTTP headers

The standard does not impose restrictions on the size of each name or the value of the header field or on the number of fields. However, most servers, clients, and proxies impose certain restrictions for practical and security reasons. For example, Apache server by default limits the size of each field to 8 kilobytes, and in one request there can be no more than 100 header fields.

Non-standard headers

Non-standard header fields were usually prefixed with a X- field name, but this convention was deprecated in June 2012 due to the inconvenience caused by custom fields becoming standard.
Custom header example:
X-Forwarded-For: 39.40.130.50

Common HTTP Headers

The list of common HTTP headers.

General Headers
  • Cache-Control - catching directives for both requests and responses.
  • Connection - controls the network connection after finishing current transaction.
  • Date – representing date/time in Greenwich Mean Time (GMT)
  • Pragma - include implementation specific directives along the request/response chain.
  • Transfer-Encoding – indicating the type of information suitable for safely transfer
  • Upgrade – used to specify additional communication protocols in case server switches protocol
  • Via - indicates the intermediate protocols and recipients and should be used by gateways and proxies
  • Warning – provides additional information about the status or transformation of a message
Request Headers
  • Accept - advertises understandable content types, expressed as MIME types.
  • Accept-* - advertises understandable language and preferable locale variant.
  • Accept-Encoding – limits the content encodings allowed in the response.
  • Accept-Language - restricts the set of preferable natural languages of the response.
  • Authorization - consists of credentials containing the authentication information.
  • Cookie - send to the server the cookies previously sent by the server with the Set-Cookie header.
  • Expect – indicates certain expectations of server behavior on the client side.
  • From - contains email address for the user holding control of the requesting agent.
  • Host - specifies the host and the port number of the resource that is requested.
  • Proxy-Authorization - allows identification to a proxy that requires authentication.
  • Range – specifies the range or ranges of the content requested from the document.
  • Referer - contains the address of the previous web page from which the link to the page requested at the moment followed.
  • User-Agent - information about client making the request; vendor, version of the requesting user agent.
Response Headers
  • Accept-Range - allows the server to indicate range requests acceptance.
  • Age - how long in seconds the object is in the proxy cache.
  • ETag - provides the current value of the entity tag for the requested variant.
  • Location - the destination URL for 300x redirects.
  • Proxy-Authenticate – a field that is to be included as a part of a 407 response.
  • Retry-After – indicates expectation concerning the time when service is unavailable and can be used with a 503 (Service Unavailable) response.
  • Server - information about the server (name, version).
  • Set-Cookie - contains information to retain for the URL.
  • Vary - specifies variety of the sources of the entity.
  • WWW-Authenticate - indicates applicable authentication schemes and parameters.
Entity Headers
  • Allow - lists the set of methods supported by the resource identified by the Request-URI.
  • Content-Encoding - used compression type.
  • Content-Language - the content language.
  • Content-Length - the size of the entity-body sent to the client, in bytes.
  • Content-Location – provides the entity with the resource location if it is obtained from the location which is different from that of requested resource.
  • Content-MD5 - supplies an MD5 digest of the entity for checking the integrity of the message.
  • Content-Range – specifies the place for the partial body to be applied in the full body.
  • Expires – sets expiration time.
  • Last-Modified – indicates time of last modification according to the origin server.

http-headers response-headers entity-headers http-protocol request-header