HTTP headers are attached with the request and response sent between the client and the server and they contain some additional information about the browser, web page, server etc. The syntax of the HTTP header contains HTTP header name followed by a colon(:) and then the value.
HTTP Request headers
HTTP Request headers provide information about the data or web page that is to be fetched and information about the client who has made the request.
When a client’s browser requests a webpage through the URL an HTTP request header is also sent along with the request which is received by the server. An example is (when you send a request to bitarray.io page):-
GET / HTTP/1.1 Host: www.bitarray.io
Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept-Encoding: gzip, deflate, br
The request headers have methods like GET or POST which comes at the start of every request and then the HTTP headers are listed.
Examples of request headers-
Accept– The Accept request-header specifies certain media types which are acceptable for the client.
The server then responds with the appropriate content- type.
Accept-Encoding– The Accept-Encoding request HTTP header is used to inform the server about the compression method which is acceptable for the client. The server then selects one method and informs the client about it through the Content-Encoding response header.
Authorization– This type of HTTP request is sent when an authorization is required on the web page. The browser sends this HTTP request header when the user submits the login credentials.
Cookie– HTTP cookie is stored is by the browser which is sent by the server. These stored cookies are sent along with the request sent to the server. It is useful for the server to identify if the request came from the same browser. Cookies can be used for several things like Session management(login information or other useful client-side information), tracking ( used to record user’s behavior used by advertisements for example you see advertisements based on your search requests to google!) or personalization(Setting the themes etc).
User-Agent– Information of clients application type, browser name/version, operating system, the default language is stored in the form of a string and then sent along with the request which helps the server to identify the user agents information. This helps the server to identify which version of the website is to be sent for the user’s compatibility for example the mobile user will be redirected to the mobile version of the site.
HTTP Response headers
HTTP/1.1 200 OK
Date: Sun, 16 Feb 2020 02:06:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.bitarray.io/wp-json/>; rel=”https://api.w.org/”
Vary: Accept-Encoding Content-Encoding: gzip
Access-Control-Allow-Origin: * Content-Length: 11324
Keep-Alive: timeout=5, max=98
Content-Type: text/html; charset=UTF-8
Content-Type– This header indicates the content type that is mime-type that is sent by the browser to tell the client about the content type returned. It gives about what media type is sent to the users.
Content-Length– This type of header indicates about the size of the content that is sent by the server to the client.
Set-Cookie– This HTTP response header is used to update any cookie in the browser. Every cookie has a different header. These cookies are sent by the server to the client which are again sent by the client to the server.
General headers- General headers are used in both request and response but it doesn’t have any link with the content or information. The general headers that are mostly used are Date, Cache-Control and Connection.
Cache-Control– The Cache-Control general-header field is used to specify directives such as for how long the client’s browser can keep the cached version of servers response and these directives must be obeyed by all the caching functionalities.
For example, when the server sends a response it can send some cache-control directives along to tell the client to cache for some time mostly in seconds.
Date– This HTTP general-header gives information about at what date and time were the request/response originated.
Connection-This HTTP general-header keeps a check of whether the connection must remain active or closed once the transaction is finished. The keyword keep-alive shows that the connection is active.
Entity headers- To describe the content of the message sent or received an entity-header is used that can apply to both HTTP requests and responses. Few examples of entity-headers are Content-Length, Content-Language, Content-Encoding.
Importance of HTTP headers
Web apps are susceptible to cyber-attacks and the main concern of the developers is to develop secure apps that can withstand such attacks. A few lines of codes containing HTTP response headers can efficiently make the web apps secured. HTTP header can be used to reduce such attacks and vulnerability of web applications and make them highly secured.
The HTTP headers can be customized accordingly like if you disable the caching using the cache-control header the confidential data become more secured while transmission. You can also incorporate HTTP by using the Strict-Transport-Security header and add in the preload list of browsers. HTTP also provides an option to block clickjacking and whitelist specific sources.
An HTTP cookie is part of the server’s response that is received by the client’s request. The cookies are stored by the client and sent back to the server with the next request.
The cookies help both sides to identify if the request came from the same source and it provides leverage to store that information by keeping the user logged in. Cookies are used to manage the sessions like user log in, browsing history, user’s theme settings and implement authentications. We can use the cookie HTTP header using keyword set-cookie. After the HTTP request is received a server can send a Set-Cookie HTTP header along with the server response. The client stores the cookie and sends the value of the cookie with the next request sent to the same server by using the cookie request header. Http cookies can also have a lifetime and expiry that can be explicitly defined.