questions about HTTP request headers

Hello! Here are some questions & answers. The goal isn't to get all the questions "right". Instead, the goal is to learn something! If you find a topic you're interested in learning more about, I'd encourage you to look it up and learn more.

is the Host header required?

yes!

yes! many webservers serve multiple websites, and the Host header is how the server can tell which domain/subdomain you're requesting.

example: Host: mail.google.com

is the User-Agent header required?

nope!

the only required header is the Host header. User-Agent is almost always set, though, and servers sometimes use it to decide which version of the site to serve you.

If you're logged into a website, which header does your browser send the server to prove that you're still logged in?

Cookie!

your browser saves any cookies the server set and will send them back to the server on every request it makes.

website analytics usually tell you where people are coming to your site from (google.com, twitter.com, etc.). Which header is that information in?

Referer!

when someone clicks a link, by default browsers will set the Referer header to the address of the site they were on when they clicked the link.

(and yes, Referer is misspelled :) )

which header does your browser use to request a compressed response?

Accept-Encoding!

Accept-Encoding: gzip requests a compressed response. This saves on bandwidth, so browsers will basically always set this header.

which header does your browser use to request a response in a specific language?

Accept-Language!

Accept-Language: es-ES requests a response in Spanish. As with Accept-Encoding, there's no guarantee that you'll actually get a response in Spanish, but some websites will respect this header!

if you have an secret API key you need to use an API, which header do you put it in?

it depends, but often the Authorization header!

the Authorization header lets you send a username & password. They're base64 encoded but not encrypted, so it's important to use TLS.

Example: Authorization: Basic OTA0MmYyNzExM...

some APIs instead need you to put the API key somewhere else, like in the request body

wget has a --continue flag that lets you continue a download you interrupted. Which header does it use to do that?

Range

Range lets you request a specific part of a document, like "everything after 20392383 bytes" for large download.

in a POST request with a JSON body to an API, which header tells the server that the request is JSON?

Content-Type

Content-Type: application/json.
If you don't set Content-Type, often the server won't know how to interpret your request.

Your browser caches a lot of CSS / JS / images. Which header does it use to ask the server if it needs to update its cache?

If-None-Match or If-Modified-Since

the server will return 304 Not Modified if no update is needed. Your browser sets If-None-Match to the last value of the ETag response header.