HTTP Header

[Last Updated: Jun 7, 2017]


An HTTP header is an optional meta-information about the message being sent. This information might also contain specific details about the sender.

Both request and response messages can have header.

An HTTP Header consists of multiple name-value pairs. Each name and value are separated by a colon :
Each pair is written in a separate line.

Following is a typical request header example when sent from a browser:
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp ....
user-agent:Mozilla/5.0 (Windows NT 6.3; WOW64) ...
accept-encoding:gzip, deflate, sdch

Following is a typical response header example when sent from a server:
Date:Wed, 17 Feb 2016 19:57:04 GMT

Commonly used standard request Headers


Media types that a client can accept.
Example: Accept: text/html


Character sets that are acceptable.
Example: Accept-Charset: utf-8


List of acceptable encodings (converting message into a coded form).
Example: Accept-Encoding: gzip, deflate


Set of natural languages that are preferred as a response to the request.
Example: Accept-Language: en-US,en;q=0.8


The Connection header field allows the sender to specify options that are desired for that particular connection. When we make requests with "Connection: keep-alive" the subsequent request to the server will use the same TCP connection. This is called HTTP persistent connection. The default connection timeout of Apache httpd 2.2 and above is five seconds. "Connection: close" indicates that once the request has been made the server needs to close the connection. And so for each request a new TCP connection will be established.
Example: Connection: keep-alive


This contains tokens that provide specific details about the system and browser/application making the request.
Example: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) ... Chrome/48.0.2564.109 ...


The email address of the user making the request


Authentication credentials for HTTP authentication
Example: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==


If the requested variant has not been modified since the time specified in this field, an entity will not be returned from the server; instead, a 304 (not modified) response will be returned without any message-body.
Example: If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

Commonly used standard response Headers


This header indicates whether the resource may be cached by the browser. Some of the values are "no-cache", "max-age=<number of seconds>", "no-store", "must-revalidate" ", "only-if-cached"
Example: Cache-Control: max-age=3600


The type of encoding used on the body data.
Example: Content-Encoding: gzip


The length of the response body in octets (8-bit bytes).
Example: Content-Length: 348


The MIME type of the body data.
Example: Content-Type:text/html;charset=ISO-8859-1


It can be used to supply the resource location for the entity enclosed in the message when it is accessible from alternate location separate from the requested resource's URI. It can also be used when a requested resource has multiple representations available, e.g. multiple languages.
Example: Content-Location: /data.json


The date and time when the message was sent.
Example: Date:Wed, 17 Feb 2016 19:57:04 GMT


The last modified date for the requested resource.
Example: Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT


Used in redirection, or when a new resource has been created.
Example: Location:


It may contain Implementation-specific fields. For example 'no-cache' used for HTTP/1.0 implementation to prevent caching on client.
Example: Pragma: no-cache


If an entity is temporarily unavailable, this directive tells the client to try again later.
Example: Retry-After: 120, also: Retry-After: Fri, 07 Nov 2014 23:59:59 GMT


A name for the server along with other details
Example: Server:Apache-Coyote/1.1


The Set-Cookie header is sent by the server to create a cookie on the user's system.
Example: Set-Cookie: UserID=joe; last-visited=2016-02-14


The Allow header field lists the set of methods supported by the resource identified by the Request-URI.
Example: Allow: GET, HEAD


If an HTTP request lacks credentials, the server can reply with 401 (Unauthorized) status code and the WWW-Authenticate header field.

The WWW-Authenticate header field indicates the authentication scheme(s) and parameters applicable to the target resource.
Example: WWW-Authenticate: Basic realm="Some value"

Where realm value is used to group the resources. All pages within this group will share the same authentication credentials.

Sending Custom Headers in HTTP request

A HTTP request can also include custom headers.

That's not possible using HTML hyperlink or through from submission.

We can use Ajax's XMLHttpRequest object to set custom headers.

xmlhttp.setRequestHeader("myCustomHeader", headerValue);

Or we can also use JQuery:

beforeSend: function(xhr){
xhr.setRequestHeader("myCustomHeader", headerValue);

Or using any http client API. For example in Java we can use to send standard or custom headers like this:

URL obj = new URL(theUrl);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
//adding header
con.setRequestProperty("myCustomHeader", headerValue);

See Also