According to this thread:
Custom HTTP headers : naming conventions
And the IETF link, using X- headers is no longer supported. However, I still see APIs that use them for responses. I've also recently done some configuration with nginx and it uses a few uses of X- headers. For example another post here:
Modifying a Location header with nginx proxy_pass
shows the use of X-Forwarded-For and a few others.
So.. via the IETF deprecation, is all use of any X- header basically being told to no longer use it? Or are their cases where it's allowed?
If they are no longer allowed, then do we return headers without the X- in it?
I ask because my REST API is returning login tokens (session tokens really) via x-auth-token: and consumers of my API would look for that header to get the token. I've seen many other APIs out there use a similar manner to provide oauth or other tokens.
I just want some sort of definitive understanding if x- is bad but we can still return custom headers without the x- (so in my case it would just be a response header named auth-token)?
Thanks.