Is safe to use “X-…” header in a HTTP response?

2019-01-23 23:53发布

问题:

I have to pass a meta-information in my HTTP response so I figured out that I could use the response header, for instance "X-MyData: 123456". Is that safe? I mean, there is a possibility that a client proxy remove this header?

Thanks!

回答1:

A client proxy could do anything it wanted, but in general would not strip any headers.

Headers starting with an X- are typically reserved for nonstandard usage (i.e. no future standard will introduce a header starting X-) but a proxy may understand them and choose to modify them as it wants.



回答2:

For reference, X- headers are also referred to as x-token in the BNF of RFC 2045, as user-defined ("X-") in section 5 of RFC 2047 and as Experimental headers in section 4.2.2.1 of the News Article Format draft.

Deprecating Use of the "X-" Prefix in Application Protocols (BCP, June 2012):

deprecates the "X-" convention for most application protocols and makes specific recommendations about how to proceed in a world without the distinction between standard and non-standard parameters



回答3:

It is possible for proxy servers or any intermediate links in the chain to modify your headers, but this usually isn't a problem.

More often than not, specifying custom headers is fine as long as they're unique enough not to conflict with other people's headers and you don't expect anyone else to use yours.