ChatGPT解决这个技术问题 Extra ChatGPT

Are HTTP headers case-sensitive?

In a blog post I use the following PHP to set the content-type of a response:

header('content-type: application/json; charset=utf-8');

I just got a comment on that post saying that content-type needs to be capitalized, Content-type. Is this correct? It seems to work for me with all lower-case, and I assumed the HTTP headers were case-insensitive. Or does it just work because browsers are nice?

It's case insensitive, but if you're going to fix the case, it should be 'Content-Type'.
FWIW, sending "charset" with application/json is pointless. There is no such parameter.
@cchamberlain - it's meaningless in "applocation/json". There is no such parameter for that media type.
@NullUserException - the downside (aside from wasted bytes) is to continue to confuse people about the charset param. Just get those components fixed instead.
@JulianReschke is correct. The IANA application/json assignment says charset is meaningless for this media type. it doesn't do anything. Please don't add it, because it's noise that leads to unnecessary confusion.

C
Community

Header names are not case sensitive.

From RFC 2616 - "Hypertext Transfer Protocol -- HTTP/1.1", Section 4.2, "Message Headers":

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

The updating RFC 7230 does not list any changes from RFC 2616 at this part.


Answer is still true, RFC 7230 states: "Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace."
Header fields are case sensitive when using PHP to get the value of a header field using the method 'apache_request_headers()'.
Can anyone provide examples of popular browsers that do not comply with the spec in this regard?
@Harm That's only because string comparison in PHP is case-sensitive.
For anyone looking, here is where RFC 7230 explicitly states that field headers should be treated as case insensitive: tools.ietf.org/html/rfc7230#section-3.2
L
Lightness Races in Orbit

HTTP header names are case-insensitive, according to RFC 2616:

4.2:

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

(Field values may or may not be case-sensitive.)

If you trust the major browsers to abide by this, you're all set.

BTW, unlike most of HTTP, methods (verbs) are case sensitive:

5.1.1 Method

The Method token indicates the method to be performed on the resource identified by the Request-URI. The method is case-sensitive. Method = "OPTIONS" ; Section 9.2 | "GET" ; Section 9.3 | "HEAD" ; Section 9.4 | "POST" ; Section 9.5 | "PUT" ; Section 9.6 | "DELETE" ; Section 9.7 | "TRACE" ; Section 9.8 | "CONNECT" ; Section 9.9 | extension-method extension-method = token


Another comment said this answer is obsoleted. Is that true? If so, maybe you can update it so people don't get confused.
using curl -X put lower cased verb will return 400 bad request cryptic error from server. It took some time before realizing that verb was invalid. curl also did not throw any warnings. curl -X PUT went thru.
C
Community

tldr; both HTTP/1.1 and HTTP/2 headers are case-insensitive.

According to RFC 7230 (HTTP/1.1):

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

https://www.rfc-editor.org/rfc/rfc7230#section-3.2

Also, RFC 7540 (HTTP/2):

Just as in HTTP/1.x, header field names are strings of ASCII characters that are compared in a case-insensitive fashion.

https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2


just clarifying: field names are case insensitive; field values can be case-sensitive, depending on the field name.
Continued citation from HTTP/2 RFC: "However, header field names MUST be converted to lowercase prior to their encoding in HTTP/2. A request or response containing uppercase header field names MUST be treated as malformed (Section 8.1.2.6)"
I just noticed the "MUST be converted to lowercase..." part as well. Why is that? CamelCase appears to be preferred casing in practice (developer tools, popular code libraries), so why would HTTP/2 attempt to go against that trend?
@jimp - because standards are about consistency - using camel-case can be ambiguous - especially with abbreviations, initialisations and acronyms. For example - would it be "Front-End-Https" or "Front-End-HTTPS" - "WWW-Authenticate" or "Www-Authenticate" - specifying all lowercase removes ambiguity by standardising the field. This in turn simplifies handling the headers all round.
@jimp It could be related to HPACK, the header compression algorithm used with HTTP2. It's certainly easier if it's all lowercase. Also it has a small static dictionnary : tools.ietf.org/html/rfc7541#appendix-A
R
Rudiger W.

header('Content-type: image/png') did not work with PHP 5.5 serving IE11, as in the image stream was shown as text

header('Content-Type: image/png') worked, as in the image appeared as an image

Only difference is the capital 'T'.


Then there is obviously a problem with the implementation because all header fields are supposed to read as case-insensitive. Apache Bench is also messed up. It doesn't like lowercase field names.
j
jayarjo

They are not case sensitive. In fact NodeJS web server explicitly converts them to lower-case, before making them available in the request object.

It's important to note here that all headers are represented in lower-case only, regardless of how the client actually sent them. This simplifies the task of parsing headers for whatever purpose.


That's because node/javascript is case-sensitive, so to simplify things they normalize everything to lower-case, meaning the HTTP headers in effect are case insensitive.
G
GideonMax

officially, headers are case insensitive, however, it is common practice to capitalize the first letter of every word. but, because it is common practice, certain programs like IE assume the headers are capitalized. so while the docs say the are case insensitive, bad programmers have basically changed the docs.


R
Robert Lerner

The RFC for HTTP (as cited above) dictates that the headers are case-insensitive, however you will find that with certain browsers (I'm looking at you, IE) that capitalizing each of the words tends to be best:

Location: http://stackoverflow.com

Content-Type: text/plain

vs

location: http://stackoverflow.com

content-type: text/plain

This isn't "HTTP" standard, but just another one of the browser quirks, we as developers, have to think about.


Could you provide any evidence on that?
I meant a concrete test case; I do have an IE to test with.
Why exactly does it tend to be best?
I will make a browser that sends headers with random capitalization just to screw with devs
P
PPK

the Headers word are not case sensitive, but on the right like the Content-Type, is good practice to write it this way, because its case sensitve. like my example below

headers = headers.set('Content-Type'