HYPER TEXT TRANSFER PROTOCOL (HTTP) HEADERS
HTTP headers allow the user and the server to pass information in addition to the original request or the response. An HTTP header consists of its name, a colon and followed by its value.
There are usual by-default request and response headers, and some custom headers that can be used and added using the X- prefix.
Classification of HTTP Headers:
According to Context:
General Header, applies to both request and response, but has no relation with the data that is being transmitted in the body.
Request Header, containing information about the request that is made by the user to fetch a certain resource.
Response Header, containing information about the client, and the response of the request that was made by the user.
Entity Header, containing more information about the body of the request or response, like its length or type.
According to Proxy:
These headers are transmitted to the end receiver, the client or the server. The proxies must transmit these headers without any modification and caches must store them.
Hop-by-Hop Header: These headers are meaningful only for a single transport-level connection and should not be retransmitted by proxies or stored in the cache.
www-Authenticate: It defines the authentication method that is used to gain access to a certain file or webpage.
Authorization: It contains the credentials that the user uses to authenticate with the server to access a certain file or webpage.
Proxy-Authenticate: It defines the authentication method to authenticate with a proxy server.
Proxy-Authorization: It contains the credentials that the user uses to authenticate with a proxy server.
Age: It defines the time (in seconds) for which an object has been in a proxy cache. Also called Time-To-Live (or TTL).
Cache-Control: It contains the directives used to specify browser caching policies in both request and response headers. Following are the directives of the Cache-Control Header:
Max-Age: It defines the time (in seconds) the cached coy of an object takes to expire. After expiry, the browser has to resubmit the request.
No-Cache: It means that the browser can cache the response, but it has to authenticate with the server first.
No-Store: It means that the browser is not allowed to cache a response at all. This is most suitable to use where there is sensitive information present, such as bank account details, passwords etc.
Public: It defines that the object can be cached by any cache.
Private: This directive makes sure that the object is cached by the user’s browser only and not any other device.
Clear-Site-Data: It clears the browsing history (caches, cookies etc.) that were associated with a given website.
Expires: The maximum time after which the response becomes useless (or stale).
Warning: A general warning field containing information about possible insecurities or problems.
Connection Management Headers:
Connection: It controls whether the connection remains active or dies after a request is successfully responded by the server.
Keep-Alive: It controls the time for which the active session remains active.
Cookie: It contains the cookie that was sent by the server.
Set-Cookie: It is used by the server to send cookies to the user.
Cross-Origin-Resource-Sharing (CORS) Headers:
Access-Control-Allow-Origin: It indicates whether the response can be shared or not.
Access-Control-Allow-Credentials: It indicates whether the user credentials can be exposed when the credential flag is true or not.
Access-Control-Allow-Headers: It indicates whether other HTTP headers can be used with the request.
Access-Control-Allow-Methods: It defines the methods allowed when an object is accessed in a preflight request.
Access-Control-Expose-Headers: It indicates what headers can be exposed in the response.
Access-Control-Max-Age: It is used to indicate for how long a preflight request can be cached.
Access-Control-Request-Headers: It is used to tell the server, in the preflight request, what HTTP headers will be used in the actual request.
Access-Control-Request-Method: Same as the Access-Control-Request-Header, but it tells the server the method used in the actual request, instead of the HTTP headers.
Cross-Origin-Secure-Policy: It prevents other domains from loading their files onto the actual domain.
X-Permitted-Cross-Domain-Policies: A cross-domain-policy file is an XML document that allows certain web clients (such as flash player) to handle data on various domains. This header controls whether the web client is allowed to run on a domain or not.
Message Body Information Headers:
Content-Length: It indicates the size of the entity-body.
Content-Type: It indicates the media-type of the resource.
Content-Encoding: It is used to specify the compression algorithm.
Content-Language: It allows different languages to be used, so that a user can view the content in their preferred language.
Content-Location: It indicates the alternate location for the returned information.
Forwarded: It contains information of the client-side, when a connection is lost due to a proxy.
X-Forwarded-For: It identifies the original IP of the client, if the client is connecting through a proxy.
X-Forwarded-Host: It is used to identify the original host that had forwarded the request through the proxy server.
X-Forwarded-Proto: It identifies that whether the user used HTTP or HTTPS to connect to a proxy.
Location: It is used to redirect the user to another URL.
Request Context Headers:
From: It contains the requesting user’s email address.
Host: It is used to identify the domain name.
Referrer: It contains information and link to the web page from which the user has just been redirected.
Referrer-Policy: It controls what referrer information should be sent in the REFERRER header.
User-Agent: It identifies the requesting user, his OS and web browser.
Content-Security-Policy (CSP): It controls the objects that a certain user can access.
Content-Security-Policy-Report-Only: It allows web developers to experiment with policies without enforcing their effects.
Feature-Policy: It provides a mechanism to allow and deny using browser features in its own frame as well as embedding in an iframe.
Public-Key-Pins (HPKP): It prevents the Man-In-The-Middle (MITM) Attack, by using a cryptographic public key.
Strict-Transport-Security (HSTS): It is used to force web communication through HTTPS instead of HTTP.
X-Content-Type-Options: It is used to disable Media Type Sniffing (or MIME Sniffing) and forces the browser to use the type defined in the Content-Type header.
X-Frame-Options (XFO): It controls that whether a web page is allowed to embed an <iframe>, <frame>, tags etc.
X-XSS-Protection: It denies Cross-Site Scripting (XSS) and filters it.