-
Notifications
You must be signed in to change notification settings - Fork 0
Supported Headers
Ruslan Lopatin edited this page Feb 6, 2021
·
18 revisions
Supported HTTP headers and value parsing strategies best suited for them.
| Header Name | Parsing Strategy | Value Examples |
|---|---|---|
Accept |
hthvParse | text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8 |
Accept-Charset |
hthvParse | utf-8, iso-8859-1;q=0.5 |
Accept-Encoding |
hthvParse | deflate, gzip;q=1.0, *;q=0.5 |
Accept-Language |
hthvParse | fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5 |
Accept-Patch |
hthvParse | text/example;charset=utf-8 |
Accept-Ranges |
as-is | bytes |
Access-Control-Allow-Credentials |
as-is | true |
Access-Control-Allow-Headers |
trivial | X-Custom-Header, Upgrade-Insecure-Requests |
Access-Control-Allow-Methods |
trivial | POST, GET, OPTIONS |
Access-Control-Allow-Origin |
as-is | https://developer.mozilla.org:8080 |
Access-Control-Expose-Headers |
trivial | *, Authorization |
Access-Control-Max-Age |
as-is | 600 |
Access-Control-Request-Headers |
trivial | X-PINGOTHER, Content-Type |
Access-Control-Request-Method |
as-is | POST |
Age |
as-is | 24 |
Allow |
trivial | GET, POST, HEAD |
Alt-Svc |
hthvParse | h2="alt.example.com:8000", h2=":443"; ma=2592000; persist=1 |
Authorization |
hthvParse | Basic YWxhZGRpbjpvcGVuc2VzYW1l |
Cache-Control |
hthvParse | public, max-age=31536000 |
Clear-Site-Data |
hthvParse | "cache", "cookies", "storage", "executionContexts" |
Connection |
as-is | keep-alive |
Content-Disposition |
hthvParse | form-data; name="field2"; filename="example.txt" |
Content-Encoding |
trivial | gzip, identity |
Content-Language |
trivial | de, en |
Content-Length |
as-is | 2545434 |
Content-Location |
as-is | /documents/foo?format=json |
Content-Range |
hthvParse | bytes 200-1000/67589 |
Content-Security-Policy |
hthvParseDirectives | default-src 'self' http://example.com; connect-src 'none'; |
Content-Security-Policy-Report-Only |
hthvParseDirectives | default-src 'self' http://example.com; connect-src 'none'; |
Content-Type |
hthvParse | text/html; charset=UTF-8 |
multipart/form-data; boundary=----------974767299852498929531610575 |
||
Cookie |
hthvParseSemiSep | PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1 |
| then hthvFlatten? | ||
Cross-Origin-Resource-Policy |
as-is | same-origin |
DNT |
as-is | 1 |
Date |
as-is | Wed, 21 Oct 2015 07:28:00 GMT |
Device-Memory |
as-is | 1 |
Digest |
hthvParse | sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=,unixsum=30637 |
ETag |
hthvParse | "33a64df551425fcc55e4d42a148795d9f25f89d4" |
W/"0815" |
||
Early-Data |
as-is | 1 |
Expect |
as-is | 100-continue |
Expect-CT |
hthvParse | max-age=86400, enforce, report-uri="https://foo.example/report" |
| then hthvFlatten? | ||
Expires |
as-is | Wed, 21 Oct 2015 07:28:00 GMT |
Feature-Policy |
hthvParseDirectives | microphone 'none'; geolocation 'none' |
Forwarded |
hthvParse | for=192.0.2.60;proto=http;by=203.0.113.43 |
For="[2001:db8:cafe::17]:4711" |
||
for=192.0.2.43, for=198.51.100.17 |
||
From |
as-is | [email protected] |
Host |
as-is | developer.cdn.mozilla.net |
If-Match |
hthvParse | "67ab43", W/"54ed21", "7892dd" |
If-Modified-Since |
as-is | Wed, 21 Oct 2015 07:28:00 GMT |
If-None-Match |
hthvParse | W/"67ab43", "54ed21", "7892dd" |
If-Range |
hthvParse | W/"675af34563dc-tr34" |
Wed, 21 Oct 2015 07:28:00 GMT |
||
If-Unmodified-Since |
as-is | Wed, 21 Oct 2015 07:28:00 GMT |
Keep-Alive |
hthvParse | timeout=5, max=1000 |
| then hthvFlatten? | ||
Large-Allocation |
as-is | 500 |
Last-Modified |
as-is | Wed, 21 Oct 2015 07:28:00 GMT |
Link |
hthvParse | <https://example.com/index.html?mode=preconnect>; rel="preconnect" |
Location |
as-is | /index.html |
Origin |
as-is | https://developer.mozilla.org |
Proxy-Authenticate |
hthvParse | Basic realm="Access to the internal site" |
Proxy-Authorization |
hthvParse | Basic YWxhZGRpbjpvcGVuc2VzYW1l |
Public-Key-Pins |
hthvParse | pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains; report-uri="https://www.example.org/hpkp-report" |
Public-Key-Pins-Report-Only |
hthvParse | pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; includeSubDomains; report-uri="https://www.example.org/hpkp-report" |
Range |
hthvParse | bytes=200-1000, 2000-6576, 19000- |
Referer |
as-is | https://developer.mozilla.org/en-US/docs/Web/JavaScript |
Referrer-Policy |
as-is | strict-origin-when-cross-origin |
Retry-After |
as-is | 120 |
| or hthvParse | Wed, 21 Oct 2015 07:28:00 GMT |
|
Save-Data |
as-is | on |
Sec-WebSocket-Accept |
as-is | s3pPLMBiTxaQ9kYGzzhZRbK+xOo= |
Server |
hthvParseCommented | Apache/2.4.1 (Unix) |
Server-Timing |
hthvParse | cache;desc="Cache Read";dur=23.2 |
Set-Cookie |
hthvParseDT | id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT, __Host-ID=123; Secure; Path=/ |
SourceMap |
as-is | /path/to/file.js.map |
Strict-Transport-Security |
hthvParseSemiSep | max-age=63072000; includeSubDomains; preload |
| then hthvFlatten? | ||
TE |
hthvParse | trailers, deflate;q=0.5 |
Timing-Allow-Origin |
trivial | https://developer.mozilla.org, http://example.com |
Tk |
as-is | N |
Trailer |
trivial | Date, Expires |
Transfer-Encoding |
trivial | gzip, chunked |
Upgrade-Insecure-Requests |
as-is | 1 |
User-Agent |
hthvParseCommented | Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1 |
Vary |
trivial | User-Agent, Accept-Language |
Via |
hthvParseDirectives | HTTP/1.1 GWA, 1.0 fred, 1.1 p.example.net |
WWW-Authenticate |
hthvParse | Basic realm="Access to the staging site", charset="UTF-8" |
Want-Digest |
hthvParse | SHA-512;q=0.3, sha-256, md5;q=0 |
Warning |
hthvParseDirectives | 110 anderson/1.3.37 "Response is stale", 112 - "cache down" "Wed, 21 Oct 2015 07:28:00 GMT" |
Some header values are better to be read verbatim.
Location: http://example.com/matrix;param1=2?q=search
The above header introduces multiple issues to hthvParse, as it contains separators. But it can be treated verbatim instead.
Some header values may contain values in different formats.
Retry-After: Wed, 21 Oct 2015 07:28:00 GMT
Retry-After: 120
In this case it may be reasonable to use hthvParseDT to distinguish between the two forms. But in the above particular example this can be achieved in a more efficient way:
const retryAfterSeconds = parseInt(retryAfter);
let whenRetry: Date;
if (isNaN(retryAfterSeconds)) {
whenRetry = new Date(retryAfter);
} else {
whenRetry = new Date();
whenRetry.setSeconds(whenRetry.getSeconds() + retryAfterSeconds);
} Some header values are not intended to be used as-is, but their parsing strategy is trivial.
For example:
Content-Encoding: gzip, identity
Content-Language: de, en
Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
All the above header values contain just a comma-separated list of items, and can be parsed simply by splitting and trimming the strings:
'"cache", "cookies", "storage", "executionContexts"'
.split(',')
.map(item => item.trim());
// ['"cache"', '"cookies"', '"storage"', '"executionContexts"']
//
// There is no actual need to remove double quotes here,
// as they always present.