Friday, December 17, 2010

Rediscovering HTTP Headers

I havent used raw HTTP Headers in so long, when I needed to troubleshoot them again it turned into a small research project. So here it is, where I can hopefully find it again when I draw a blank next time around.

What are HTTP Headers?

HTTP Headers are explained in more detail here -

HTTP headers are plain text pieces of data (string name/value pairs) passed back and forth between web server and browser with each web request.

The browser typically sends request headers to the server which can include things like the browser version being used to make the request. Here is an example set of headers for a GET request:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie:|utmccn=(referral)|utmcmd=referral|utmcct=/navbar.g; __utma=7506145.1224262850.1253640086.1292536031.1292536661.294; __utmb=7506145.3.10.1292536661; __utmc=7506145
If-Modified-Since: Tue, 07 Dec 2010 16:18:07 GMT
If-None-Match: "bb02d252-a672-46a3-a001-96c62017ec35"
Cache-Control: max-age=0

The server typically sends response headers which can include things like the web server software version. Here is an example of a 200 OK response header from the server back to the browser

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Thu, 16 Dec 2010 22:02:54 GMT
Date: Thu, 16 Dec 2010 22:02:54 GMT
Last-Modified: Tue, 07 Dec 2010 16:18:07 GMT
Etag: "bb02d252-a672-46a3-a001-96c62017ec35"
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 15991
Server: GSE
Cache-Control: public, max-age=0, must-revalidate, proxy-revalidate
Age: 0

HTTP headers are sent before the content of the request is sent - the html part from web server to browser in a response, or form/url data in a request - and HTTP headers are not displayed/rendered by your browser.

HTTP Headers and Browser Cookies
Cookie data, when needed, is encrypted and transmitted via HTTP headers too - but HTTP headers themselves are not cookies.

more info on HTTP Cookies -

Custom HTTP Headers and IIS
HTTP Header data is just one big string formatted in a way that the browser/web server can parse and understand. ISAPI filters in IIS can be used to intercept all HTTP request traffic between the server and client, modifying the standard IIS server request/response header string as needed to provide additional custom header information from your own ISAPI filter to the webserver and client browser.

Tools For Viewing Raw HTTP Headers From Your Browser

No comments: