MSH

Understanding HTTP Headers

Published on

HTTP headers are essential components of the Hypertext Transfer Protocol (HTTP), used for communication between web browsers and servers.

When you opened this blog post, your browser sent a couple of HTTP requests to GET the HTML content to display in your browser, and it received an HTTP response for each one of them. HTTP headers hold information about the request or response being sent and provide additional instructions for the server or browser.

Example

When you request a webpage in your browser, your headers may look like this:

1GET /blog/http-headers/ HTTP/1.1 2Accept: text/html, application/xhtml+xml, application/xml; q=0.9, mage/avif, image/webp, image/apng, */*; q=0.8, application/signed-exchange; v=b3; q=0.7 3Accept-Encoding: gzip, deflate, br 4Accept-Language: en-US,en;q=0.9,ar;q=0.8,ru;q=0.7 5Cache-Control: no-cache 6Connection: keep-alive 7Host: mohammadshehadeh.com 8Pragma: no-cache 9Sec-Fetch-Dest: empty 10Sec-Fetch-Mode: navigate 11Sec-Fetch-Site: same-origin 12Upgrade-Insecure-Requests: 1 13User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

In response, your browser may receive a response like this:

1HTTP/1.1 200 OK 2Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url, Accept-Encoding 3x-nextjs-cache: HIT 4Cache-Control: no-store, must-revalidate 5Content-Type: text/html; charset=utf-8 6Content-Encoding: gzip 7Date: Sun, 11 Feb 2024 19:59:53 GMT 8Connection: keep-alive 9Keep-Alive: timeout=5 10Transfer-Encoding: chunked

Let's break down and explain each header

Request Headers

  • Request Line
1GET /blog/http-headers/ HTTP/1.1

This is the request line, indicating that the client is making a GET request for the resource located at /blog/http-headers/ using HTTP version 1.1.

  • Accept
1Accept: text/html, application/xhtml+xml, application/xml; q=0.9, mage/avif, image/webp, image/apng, _/_; q=0.8, application/signed-exchange; v=b3; q=0.7

Specifies the media types that the client can understand and is willing to accept. It includes a list of preferred content types with associated quality values (q-values).

  • Accept-Encoding
1Accept-Encoding: gzip, deflate, br

Informs the server about the encodings that the client supports for the response. Common values include gzip, deflate, and br (Brotli).

  • Accept-Language
1Accept-Language: en-US,en;q=0.9,ar;q=0.8,ru;q=0.7

Indicates the natural language and locale that the client prefers.

  • Cache-Control
1Cache-Control: no-cache

Directs how caching should be performed, and in this case, it indicates "no-cache" suggesting that the client prefers a fresh response from the server rather than a cached one.

  • Connection
1Connection: keep-alive

Specifies whether the connection should be kept alive (keep-alive) or closed after the current request/response is completed.

  • Host
1Host: mohammadshehadeh.com

Specifies the domain name and port number of the server the client is trying to reach. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL).

  • Pragma
1Pragma: no-cache

Used for backward compatibility with HTTP/1.0. In this case, it indicates no-cache. This header serves for backward compatibility with the HTTP/1.0 caches that do not have a Cache-Control HTTP/1.1 header.

  • Upgrade-Insecure-Requests
1Upgrade-Insecure-Requests: 1

Suggests that the client prefers to use a secure connection (HTTPS) if the server supports it.

  • Sec-Fetch Headers
1Sec-Fetch-Dest: empty Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin

  • Sec-Fetch-Dest: Describes the destination of the request. In this case, it's set to "empty."

  • Sec-Fetch-Mode: Describes how the request was initiated. Here, it's set to "navigate," indicating navigation to a new browsing context.

  • Sec-Fetch-Site: Informs the server about the site from which the request originates. In this case, it's set to "same-origin."

  • Origin

    Indicates the origin (scheme, hostname, and port) that initiated the request <scheme>://<hostname>:<port>

  • User-Agent

1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

Identifies the client (browser) making the request. It provides information about the client's software, operating system, and version.

  • Authorization
1Authorization: Bearer "token"

Used to send credentials for authentication purposes. Commonly, it contains encrypted information.

  • Cookie
1Cookie: name=value; sessionID=abc123

Sends previously-stored cookies back to the server.

  • Access-Control-Request-Method
1Access-Control-Request-Method: POST

Used by browsers with a preflight request, to let the server know which HTTP method will be used when the actual request is made.

  • Access-Control-Request-Headers
1Access-Control-Request-Headers: Content-Type, x-requested-with

Used by browsers with a preflight request, to let the server know which HTTP headers will be used when the actual request is made. Access-Control-Allow-Headers header from the server side will answer this browser-side header.

Response Headers

  • Status Line
1HTTP/1.1: 200 OK

Indicates that the server successfully processed the request

  • Vary
1Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url, Accept-Encoding

Describes the parts of the request message aside from the method and URL that influenced the content of the response it occurs in. Most often, this is used to create a cache key when content negotiation is in use

  • Date
1Date: Sun, 11 Feb 2024 19:59:53 GMT

Represents the date and time when the server sent the response. It helps in determining the freshness of the response.

  • Keep-Alive
1Keep-Alive: timeout=5

Provides information about the keep-alive timeout, indicating how long the connection should be kept open for potential future requests.

  • Transfer-Encoding
1Transfer-Encoding: chunked

Indicates that the response is using chunked transfer encoding, where the response is sent in a series of chunks. This is useful for streaming content.

Security Headers

usually, users may initially communicate with HTTP version of the site before being redirected to HTTPS version; The strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

CSP helps guard against cross-site scripting attacks Cross-site scripting (XSS), It allows web developers to define a set of rules specifying which sources of content are considered legitimate for their web application.

1Content-Security-Policy: default-src 'self'; script-src 'self' example.com; style-src 'self' fonts.googleapis.com; img-src 'self' https://example.com data:;

default-src 'self';

The default-src directive sets the default source for content that doesn't have a more specific directive. In this case, 'self' means that content (e.g., scripts, styles, images) should primarily be loaded from the same origin as the web page itself.

script-src 'self' example.com;

The script-src directive specifies the sources from which scripts can be executed. Here, it allows scripts from the same origin ('self') and from the domain 'example.com'. Scripts from other domains won't be executed.

style-src 'self' fonts.googleapis.com;

The style-src directive defines the allowed sources for stylesheets. It permits styles from the same origin ('self') and from 'fonts.googleapis.com', allowing the use of fonts from Google Fonts.

img-src 'self' https://example.com data:;

The img-src directive controls the allowed sources for loading images. It allows images from the same origin ('self') and from the 'data:' scheme, which is used for inline data and from specified external domain https://example.com.

the meta element can be used to configure a policy

1<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*;" />

Key Takeaways

  1. Request Headers

    • Provide information about the client's preferences
    • Handle authentication and security
    • Manage caching behavior
    • Control content negotiation

  2. Response Headers

    • Indicate server status and content type
    • Manage caching and compression
    • Handle connection management
    • Control content delivery

  3. Security Headers

    • Enforce HTTPS with HSTS
    • Prevent XSS with CSP
    • Control resource loading
    • Protect against common web vulnerabilities

References

GET IN TOUCH

Let's work together

I build exceptional and accessible digital experiences for the web

WRITE AN EMAIL

or reach out directly at hello@mohammadshehadeh.com