HTTP Headers

HTTP header is a field(key:value) in an HTTP request or response that contains extra information about the request or response.

Header Types

1. Reqeust header

HTTP client uses this to provide information about the request context, so that the server can tailor the response.
Header Name Content
Accept request header MIME types HTTP client is able to understand. 

Accept: text/html

Accept: image/*

// General default
Accept: */*

// Default for navigation requests
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
Authorization request header Provide credentials that authenticate a user agent with a server, allowing access to a protected resource 

Authorization: Basic 

OR

Authorization: Digest username=,    //Digest(String of the hex digits that proves that the user knows a password.)
realm="",
uri="",
algorithm=,
nonce="",
nc=,
cnonce="",
qop=,
response="",
opaque=""
Accept-Language natural language and locale that the client prefers 

Accept-Language: en-US,en;q=0.5
Referer Absolute or partial address from which a resource has been requested 

Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Referer: https://example.com/page?q=123
Referer: https://example.com/
Connection whether the network connection stays open after the current transaction finishes
If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done. 

Connection: keep-alive
Connection: close
Upgrade-Insecure-Requests sends a signal to the server expressing the client's preference for an encrypted and authenticated response 

GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1
Fetch metadata request header - Provides additional information about the context from which the request originated.
- This allows the server to make decisions about whether a request should be allowed based on where the request came
- With this information a server can implement a resource isolation policy
- This approach can help mitigate common cross-site web vulnerabilities such as CSRF, Cross-site Script Inclusion('XSSI'), timing attacks, and cross-origin information leaks
- Forbidden header name: These headers are prefixed with Sec-, and hence have forbidden header names.
A forbidden header name is the name of any HTTP header that cannot be modified programmatically(ie using javascript)

Header Description
Sec-Fetch-Site - Tells relationship between a Request initiator's origin and the Requested resource's Origin. 

Sec-Fetch-Site: same-origin                  
/*
Meaning: Initiator is directly requesting the resource
Example: User sitting on laptop opens(https://www.espn.com). Since user is typing resource directly
*/

Sec-Fetch-Site: cross-site      
Sec-Fetch-Site: same-site
Sec-Fetch-Site: none
XFF (X-Forwarded-For)
Non Mandatory		 This is used for sending original IP header of client when the connection goes through a proxy or load balancer.
Why seeing original IP is important? logging, rate limiting
Example: Request from client IP 1.1.1.1 goes through a CDN (2.2.2.2) and then a load balancer. The application server receives the request with the following header: X-Forwarded-For: 1.1.1.1, 2.2.2.2
The leftmost IP (1.1.1.1) is the original client IP
XAU (X-Authenticated-User)
Non Mandatory		 Similar to XFF, this header contains authenticated username of the end user who made the request.
This is used to pass the user identity after initial authentication, preventing the need for re-authentication at every hop.
X-Authenticated-User: john.doe, The receiving service reads this header to know which user the request belongs to and applies appropriate access policies.

2. Response header

3. Representation header

describes one particular representation of a resource. Data might be present as XML, JSON, HTML
Header Name Meaning Content
Content-Type header Indicate the original media type(sound file might be labeled audio/ogg, or an image file image/png) of the resource
In requests, (such as POST or PUT), the client tells the server what type of data is actually sent. 

Syntax:
Content-Type: text/html; charset=utf-8
Content-Type: multipart/form-data; boundary=something
            
POST /foo HTTP/1.1
Content-Length: 68137
Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575

-----------------------------974767299852498929531610575
Content-Disposition: form-data; name="description"

some text
-----------------------------974767299852498929531610575
Content-Disposition: form-data; name="myFile"; filename="foo.txt"
Content-Type: text/plain

(content of the uploaded file foo.txt)
-----------------------------974767299852498929531610575--
Content-Encoding header Tells any encodings that have been applied to the message payload.
This lets the recipient know how to decode the representation in order to obtain the original payload format. 

Syntax:
Content-Encoding: gzip
Content-Encoding: compress
Content-Encoding: deflate
Content-Encoding: br
Content-Encoding: zstd
// Multiple, in the order in which they were applied
Content-Encoding: deflate, gzip