HTTP headers are essential components of the Hypertext Transfer Protocol (HTTP), used for communication between web browsers and servers.
When you opened this blog post, your browser sent a couple of HTTP requests to GET the HTML content to display in your browser, and it received an HTTP response for each one of them. HTTP headers hold information about the request or response being sent and provide additional instructions for the server or browser.
Example
When you request a webpage in your browser, your headers may look like this:
GET /blog/http-headers/ HTTP/1.1
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, mage/avif, image/webp, image/apng, */*; q=0.8, application/signed-exchange; v=b3; q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ar;q=0.8,ru;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Host: mohammadshehadeh.com
Pragma: no-cache
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
In response, your browser may receive a response like this:
HTTP/1.1 200 OK
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url, Accept-Encoding
x-nextjs-cache: HIT
Cache-Control: no-store, must-revalidate
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Date: Sun, 11 Feb 2024 19:59:53 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
Let's break down and explain each header
Request headers#
-
Request Line
GET /blog/http-headers/ HTTP/1.1
This is the request line, indicating that the client is making a GET request for the resource located at
/blog/http-headers/
using HTTP version 1.1. -
Accept
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, mage/avif, image/webp, image/apng, */*; q=0.8, application/signed-exchange; v=b3; q=0.7
Specifies the media types that the client can understand and is willing to accept. It includes a list of preferred content types with associated quality values (q-values).
-
Accept-Encoding
Accept-Encoding: gzip, deflate, br
Informs the server about the encodings that the client supports for the response. Common values include gzip, deflate, and br (Brotli).
-
Accept-Language
Accept-Language: en-US,en;q=0.9,ar;q=0.8,ru;q=0.7
Indicates the natural language and locale that the client prefers.
-
Cache-Control
Cache-Control: no-cache
Directs how caching should be performed, and in this case, it indicates "no-cache" suggesting that the client prefers a fresh response from the server rather than a cached one.
-
Connection
Connection: keep-alive
Specifies whether the connection should be kept alive (keep-alive) or closed after the current request/response is completed.
-
Host
Host: mohammadshehadeh.com
Specifies the domain name and port number of the server the client is trying to reach. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL).
-
Pragma
Pragma: no-cache
Used for backward compatibility with HTTP/1.0. In this case, it indicates no-cache. This header serves for backward compatibility with the HTTP/1.0 caches that do not have a Cache-Control HTTP/1.1 header.
-
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests: 1
Suggests that the client prefers to use a secure connection (HTTPS) if the server supports it.
-
Sec-Fetch Headers
Sec-Fetch-Dest: empty Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin
- Sec-Fetch-Dest: Describes the destination of the request. In this case, it's set to "empty."
- Sec-Fetch-Mode: Describes how the request was initiated. Here, it's set to "navigate," indicating navigation to a new browsing context.
- Sec-Fetch-Site: Informs the server about the site from which the request originates. In this case, it's set to "same-origin."
-
Origin
Indicates the origin (scheme, hostname, and port) that initiated the request
<scheme>://<hostname>:<port>
-
User-Agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Identifies the client (browser) making the request. It provides information about the client's software, operating system, and version.
-
Authorization
Authorization: Bearer "token"
Used to send credentials for authentication purposes. Commonly, it contains encrypted information.
-
Cookie
Cookie: name=value; sessionID=abc123
Sends previously-stored cookies back to the server.
-
Access-Control-Request-Method
Access-Control-Request-Method: POST
Used by browsers with a preflight request, to let the server know which HTTP method will be used when the actual request is made.
-
Access-Control-Request-Headers
Access-Control-Request-Headers: Content-Type, x-requested-with
Used by browsers with a preflight request, to let the server know which HTTP headers will be used when the actual request is made.
Access-Control-Allow-Headers
header from the server side will answer this browser-side header.
Response headers#
-
Status Line
HTTP/1.1: 200 OK
Indicates that the server successfully processed the request
-
Vary
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url, Accept-Encoding
Describes the parts of the request message aside from the method and URL that influenced the content of the response it occurs in. Most often, this is used to create a cache key when content negotiation is in use
-
Date
Date: Sun, 11 Feb 2024 19:59:53 GMT
Represents the date and time when the server sent the response. It helps in determining the freshness of the response.
-
Keep-Alive
Keep-Alive: timeout=5
Provides information about the keep-alive timeout, indicating how long the connection should be kept open for potential future requests.
-
Transfer-Encoding
Transfer-Encoding: chunked
Indicates that the response is using chunked transfer encoding, where the response is sent in a series of chunks. This is useful for streaming content.
Security Headers#
- Strict-Transport-Security (HSTS): Instructs the browser to only access the server over HTTPS.
usually, users may initially communicate with HTTP version of the site before being redirected to HTTPS version; The strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
- Content-Security-Policy (CSP): Specifies allowed sources for web content.
CSP helps guard against cross-site scripting attacks Cross-site scripting (XSS), It allows web developers to define a set of rules specifying which sources of content are considered legitimate for their web application.
Content-Security-Policy: default-src 'self'; script-src 'self' example.com; style-src 'self' fonts.googleapis.com; img-src 'self' https://example.com data:;
default-src 'self';
The default-src directive sets the default source for content that doesn't have a more specific directive. In this case, 'self' means that content (e.g., scripts, styles, images) should primarily be loaded from the same origin as the web page itself.
script-src 'self' example.com;
The script-src directive specifies the sources from which scripts can be executed. Here, it allows scripts from the same origin ('self') and from the domain 'example.com'. Scripts from other domains won't be executed.
style-src 'self' fonts.googleapis.com;
The style-src directive defines the allowed sources for stylesheets. It permits styles from the same origin ('self') and from 'fonts.googleapis.com', allowing the use of fonts from Google Fonts.
img-src 'self' https://example.com data:;
The img-src directive controls the allowed sources for loading images. It allows images from the same origin ('self') and from the 'data:' scheme, which is used for inline data and from specified external domain https://example.com.
the meta element can be used to configure a policy
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src https://*;"
/>
Conclusion#
HTTP requests are like messages sent between web browsers and servers to retrieve resources like web pages. Requests are started by clients, and they include different headers that provide information about the request, the client's preferences, and authentication details