HTTP Headers

HTTP headers are key components of the Hypertext Transfer Protocol (HTTP) that allow the server and client to exchange additional information along with a request or response.  

They contain metadata about the resource being requested or served, including details on content type, length, and how the server or client should handle the data. HTTP headers facilitate the communication between the browser (client) and the server, ensuring smooth web transactions. 

What are HTTP Headers? 

HTTP headers are part of the HTTP protocol that carries metadata between clients (browsers or applications) and servers.  

They contain key-value pairs that provide important information about the request or response, such as the browser type, content type, encoding, and much more. There are different types of headers, including general, request, response, and entity headers. 

General HTTP Headers 

These headers provide general information applicable to both request and response messages, such as Connection, which controls whether the network connection stays open after the current transaction. 

Example: 

Connection: keep-alive

Request Headers 

Request headers are sent by the client (browser or application) when making an HTTP request to the server. These headers convey information about the client’s request and preferences, like the language, accepted content types, and authentication credentials. 

Examples include: 

• User-Agent: Identifies the client software initiating the request. 

• Accept: Indicates the content types the client can process. 

Example: 

User-Agent: Mozilla/5.0 
Accept: text/html, application/json 

Response Headers 

Response headers are sent by the server to provide information about the server itself, the data being sent, and instructions for the client.

Common response headers include: 

• Content-Type: Specifies the type of data being returned (e.g., HTML, JSON). 

• Cache-Control: Provides caching directives to the client. 

Example: 

Content-Type: application/json 
Cache-Control: no-cache 

Entity Headers 

These headers contain information about the body of the resource, such as its size, modification date, or encoding format. 

Examples include: 

• Content-Length: Specifies the size of the response body in bytes. 

• Content-Encoding: Describes any encoding applied to the response body, such as gzip compression. 

Example: 

Content-Length: 5234 
Content-Encoding: gzip 

Commonly Used HTTP Headers 

1. Authorization

Used to pass authentication credentials with a request. This header is vital for securing access to protected resources. 

Example: 

Authorization: Bearer <token> 
 

2. Referer

Indicates the URL of the previous webpage from which a request was made. It helps servers identify the source of traffic. 

Example: 

Referer: https://example.com/ 

3. Set-Cookie

Sent in response headers, this sets a cookie in the client’s browser. Cookies are used to store session data, preferences, or tracking information. 

Example: 

Set-Cookie: sessionId=abc123; HttpOnly; Secure 

4. Content-Security-Policy (CSP)

CSP helps prevent cross-site scripting (XSS) and other code injection attacks by defining approved content sources. 

Example: 

Content-Security-Policy: default-src ‘self’; img-src https://images.example.com 

How HTTP Headers Work 

When a browser or client sends an HTTP request to a server, the request headers are included to describe various parameters of the request, such as the format of the data the client expects and details about the client device.  

The server responds with response headers that describe the resource being returned, its format, how long it can be cached, and other directives for the client to handle the data. 

Request and Response Cycle with HTTP Headers: 

1. Client Makes a Request: The client (usually a web browser) sends an HTTP request with headers indicating the type of resource it is requesting, such as a webpage, image, or data. 
2. Server Processes the Request: The server processes the request, checks for authorization, and prepares the appropriate response. 
3. Response Headers: The server sends HTTP response headers along with the content, specifying the type of content, its encoding, and other relevant data. 
4. Client Receives the Response: The browser interprets the response headers to determine how to handle and display the content. 

How to Prevent HTTP Header Spoofing 

HTTP header spoofing occurs when attackers manipulate HTTP headers to forge a different identity or manipulate a request.

This can lead to security vulnerabilities such as cross-site scripting (XSS), session hijacking, or cache poisoning. Protecting against HTTP header spoofing involves: 

• Strict Input Validation: Ensuring that input data is sanitized before being processed. 

• Using HTTPS: Secure HTTPS connections prevent man-in-the-middle attacks that could modify HTTP headers in transit. 

• Enforcing Content Security Policies: Defining strict rules for accepted content sources. 

• Header Encryption: Encrypting sensitive headers such as Authorization.