HTTP Headers | Article | Headers API | Fields (list) | HTTP Status Codes

The standard imposes no limit on size, but servers impose limits. E.g., @ Apache 2.3 server, the defaults are 8,190 bytes/field, and max 100 header fields/request. That's over 800KB of data!

Context request

CORS | Docs/CORS | Network.HTTP.CORS+Fetch (Access-Control-Allow-Origin — Sent by the server of the requested resource. See PRJ.HTTP.CORS (Origin — Indicates the server requesting the resource; sent with CORS requests and POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.

Origin: <scheme> "://" <hostname> [ ":" <port> ]

Proxies

Sec-Fetch-{Dest|Mode|Site|User} request

A new (2019) security mechanism for user agents (Fetch API) to add specific context to outgoing requests, thereby aiding server-side decision making. By delivering metadata to a server in a set of fetch metadata headers, applications may quickly reject requests based on testing a set of preconditions. That work can even be lifted up above the application layer (to reverse proxies, CDNs, etc) if desired.

Fetch API Metadata Headers

Sec-Fetch-Mode = sh-token

Sec-Fetch-Site = sh-token

Sec-Fetch-User = sh-boolean

(sh-tokenStructured Headers Token.)

Sec-Fetch-Dest: (N/A)
Sec-Fetch-Mode: cors|navigate|nested-navigate|no-cors|same-origin|websocket
Sec-Fetch-Site: same-origin|cross-site
Sec-Fetch-User: ?F|?T  

Location response

Indicates redirect destination URL. For use with 3xx (redirection) or 201 (created) only.

Location and Content-Location are different.

HTTP Redirects (3xx)

Content-Location response

Indicates an alternate location; principal use is @ content negotiation.

Cookie request

Browsers automatically send Cookie header with each request, if any exist of its domain. The value thereof is a semicolon-delimited set of name=value pairs, each a stored HTTP cookie previously sent by the server per Set-Cookie header.

Cookie: <cookie-list>
Cookie: name=value
Cookie: name=value; name2=value2; name3=value3

Set-Cookie response

To send cookies from the server to the User Agent, e.g., a session cookie, which may be the result of a successful login.

Set-Cookie: <cookie-name>=<cookie-value> 
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly

For example, at twitter.com (the server sent both) …

set-cookie: fm=0; Max-Age=0; Expires=Wed, 11 Sep 2019 14:57:57 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly
set-cookie: _twitter_sess=BAh...NyZl9p%250...jQ1%250...xNg%253D%253D--690...c351; Path=/; Domain=.twitter.com; Secure; HTTPOnly

Delete cookie by expiring it:

☩ curl -Is localhost:3030/app/logout
HTTP/1.1 200 OK
Set-Cookie: __Host-ia=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict
Set-Cookie: __Host-rr=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict
Date: Sun, 04 Apr 2021 13:18:11 GMT
Content-Length: 11
Content-Type: text/plain; charset=utf-8