HTTP headers

HTTP headers are part of both the HTTP message sent by the browser and the response returned by the web page, and they contain additional information and instructions.

In an HTTP request, headers can inform a website, for example, about the type of device the request is coming from, so that the website can tailor the response to fit the device. Headers are also used, for example, for authentication and maintaining login status, as well as many other purposes. Good examples are Content-Type and Content-Length headers, which indicate the format and size of the data sent by the browser.

In HTTP responses, headers serve the same purpose as in queries, that is, they allow the website to provide additional information about the returned data and give instructions to the browser on how to behave.

In the following HTTP request, the highlighted fields are interpreted as HTTP headers. After the HTTP headers, the actual data that the browser sends to the webpage follows.

In the following HTTP response, the highlighted fields are interpreted as HTTP headers. After the HTTP headers, the HTTP body returned by the web page follows.

Common headers in HTTP requests

• Host
• Host- header is required in every HTTP/1.1 protocol message. The Host header specifies the target and port of the request. However, it is important to remember that this does not define where the message is sent, and it is possible to modify and exploit this in certain vulnerabilities.
• Cookie
• The Cookie-header allows the browser to include cookies in HTTP requests, which can maintain the state between the user and the application. Cookies can be used, for example, to maintain the user's session, so when logging in, the application sets its desired cookies in the browser with the Set-Cookie header.
• Content-Length
• Content-Length- header tells the browser to the application the size of the HTTP request body. This header is required in the HTTP/1.1 protocol but not in the newer HTTP/2 protocol.
• Content-Type
• Content-Type- is used to indicate the format of the body of an HTTP request. The data contained in HTTP messages can be in different formats such as XML, JSON, or image.
• Referer
• Referer-header contains a partial or complete address from which the URL message is sent. The header is visible in HTTP requests, for example, when a user navigates to a link on a webpage. The header has caused both security and privacy issues, which is why its usage has been restricted in browsers and can be controlled by the application.
• User-Agent
• User-Agent-header enables the identification of the application, operating system, and/or version performing the HTTP request. This allows websites, for example, to determine whether the user is using a phone or a computer.

Common headers in HTTP responses

• Set-Cookie
• With the Set-Cookie header, the application is able to store cookies in the browser that the browser sends in future HTTP requests in the Cookie header. This header is critical for security, so there are several additional protections available to control cookies and attempt to protect them.
• Location
• Location- header is commonly used in redirects, where the application tells the browser to navigate to a specific address.
• Cache-Control
• Cache-Control header allows the application to control the data that ends up in the browser cache. By default, browsers save everything they see in the cache, which is located on the computer's hard drive. This also has significance in terms of cybersecurity, as it is important to prevent sensitive information from being saved on the computer without the user's knowledge.
• Content-Length
• With the Content-Length header, the application tells the browser the size of the HTTP body contained in the HTTP response. This is a required header in the HTTP/1.1 protocol, but not in the newer HTTP/2 protocol.
• Content-Type
• Content-Type- header is used to indicate the format of the body contained in an HTTP response. The data contained in HTTP messages can be in several different formats such as XML, JSON, an image, or HTML code.