In reality, we don't spend much time trying to learn about HTTP headers, even though we think we know them. In order to get the most from our web apps or web security that we are developing, these tools are extremely important. Here's what HTTP headers are: what do they do?
Client programs and servers exchange HTTP headers on every request and response they send and receive. The names are case-insensitive, followed by a colon (:), then by their values, defined in RFC 4229. In most cases, these headers are invisible to the end user, and only visible to people maintaining the system behind the scenes.
In addition, HTTP headers specify how information is encoded through the connection (e.g. Accept-Encoding), how the client is verified and identified (i.e. browser cookies, IP address, user agent), how the server should handle data (e.g. Do-Not-Tracker), etc. They also define how the server should handle information (e.g. VPN or proxy masking, user-agent spoofing).
What Is the Best Place to View HTTP Headers
By typing the URL address of any website in your browser (e.g. Chrome, Firefox, etc.) the browser sends requests to the server, which returns the website's content and HTTP headers to the browser. It is possible to view and access all the requested content of the website on the main panel of the browser, but you are not able to see the HTTP headers right away.
Open the Developer tools by right-clicking anywhere inside the website page and choosing "Inspect" or "Inspect Elements". Select "Network" on the main tab of the Developer tool panel, and then select "Name" on the "Request" panel. The "Headers" tab displays all HTTP headers. In Chrome, you can find HTTP headers by following the figure below.
Here's an example: www.google.com. When you type a URL in the address bar of Chrome browser and click the refresh button, both of these processes are actually GET requests to google.com. Afterward, you'll see a lot of resources loaded on your browser, most of them running scripts or pages. In the request panel, click any name, e.g. www.google.com, to find some headers.
Chrome categorizes headers into three categories: general headers, response headers, and request headers. Different HTTP headers can be found in each category: header names and corresponding values.
Using context to categorize HTTP headers
Context can be used to classify HTTP headers, as mentioned above. The request header, the response header, and the general header are traditionally categorized based on context. Today, the general headers are simply considered a summary of selected response and request headers. Technically speaking, HTTP headers can now be categorized into four categories according to context, namely requests, responses, representations, and payloads.
1. Headers of requests
An HTTP header contains information about an HTTP request, so that the server can provide a proper response. The information can be related to the resource being fetched, or to the client making the request.
An example of a request header is as follows:
GET /home.html HTTP/1.1
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://developer.mozilla.org/testpage.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Mon, 18 Jul 2016 02:36:04 GMT
If-None-Match: “c561c68d0ba92bbeb8b0fff2a9199f722e3a621a”
Cache-Control: max-age=0
2.Response headers
HTTP headers used in an HTTP response that contains information about the response, which the client has requested. It can be information about its age, its location or the server providing it.
Here are some examples of response headers:
200 OK
Access-Control-Allow-Origin: *
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2016 16:06:00 GMT
Etag: “c561c68d0ba92bbeb8b0f612a9199f722e3a621a”
Keep-Alive: timeout=5, max=997
Last-Modified: Mon, 18 Jul 2016 02:36:04 GMT
Server: Apache
Set-Cookie: mykey=myvalue; expires=Mon, 17-Jul-2017 16:06:00 GMT; Max-Age=31449600; Path=/; secure
Transfer-Encoding: chunked
Vary: Cookie, Accept-Encoding
X-Backend-Server: developer2.webapp.scl3.mozilla.com
X-Cache-Info: not cacheable; meta data too large
X-kuma-revision: 1085259
X-frame-options: DENY
3. Headers for representations
An HTTP header describes how the resource is represented in an HTTP message body, both in the request and response. MIME type, encoding/compression applied to the body, and other information about the resource can be found in this section.
The representations of a resource are different versions that an application might return in response to a request. XML or JSON can be used to format the same data resource, and that format can then be compressed for easy transmission. A representation header may appear in both an HTTP request and a response.
An example of a representation header is as follows:
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Content-Language: de-DE, en-CA
Content-Location: /my-receipts/38
4. Payload headers
HTTP headers containing payload information related to safe transport and reconstruction of the original resource representation from one or more messages. For multi-part messages, it contains representation-independent data about payload data, such as message payload length, resource part carried in the payload, encoding applied to transport, message integrity checks, etc.
Message headers may appear in both HTTP requests and responses.
The following are some examples of payload headers:
Content-length: 6553
Content-Range: bytes 200-1000/67589
Trailer: Max-Forwards
Transfer-Encoding: gzip, chunked
5. General headers
HTTP headers that can be used for both requests and responses, but not for content. The classification of headers based on their context has already become outdated; headers are now simply referred to as response or request headers. There are still some browsers that use this header classification, such as Chrome.
Here are some examples of general headers:
Request URL: https://www.google.com/log?format=json&hasfast=true&authuser=0
Request Method: POST
Status Code: 200
Remote Address: 127.0.0.1:8888
Referrer Policy: origin
Categorization of HTTP Headers based on their functions
Developers can categorize HTTP headers based on their functions, because each header serves a specific purpose in communication between client and server.
