Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Http response with no http header

I have written a mini-minimalist http server prototype ( heavily inspired by boost asio examples ), and for the moment I haven't put any http header in the server response, only the html string content. Surprisingly it works just fine.

In that question the OP wonders about necessary fields in the http response, and one of the comments states that they may not be really important from the server side.

I have not tried yet to respond binary image files, or gzip compressed file for the moment, in which cases I suppose it is mandatory to have a http header.

But for text only responses (html, css, and xml outputs), would it be ok never to include the http header in my server responses ? What are the risks / errors possible ?

like image 313
Stephane Rolland Avatar asked Nov 20 '12 23:11

Stephane Rolland


1 Answers

At a minimum, you must provide a header with a status line and a date.

As someone who has written many protocol parsers, I am begging you, on my digital metaphoric knees, please oh please oh please don't just totally ignore the specification just because your favorite browser lets you get away with it.

It is perfectly fine to create a program that is minimally functional, as long as the data it produces is correct. This should not be a major burden, since all you have to do is add three lines to the start of your response. And one of those lines is blank! Please take a few minutes to write the two glorious line of code that will bring your response data into line with the spec.

The headers you really should supply are:

  • the status line (required)
  • a date header (required)
  • content-type (highly recommended)
  • content-length (highly recommended), unless you're using chunked encoding
  • if you're returning HTTP/1.1 status lines, and you're not providing a valid content-length or using chunked encoding, then add Connection: close to your headers
  • the blank line to separate header from body (required)

You can choose not to send a content-type with the response, but you have to understand that the client might not know what to do with the data. The client has to guess what kind of data it is. A browser might decide to treat it as a downloaded file instead of displaying it. An automated process (someone's bash/curl script) might reasonably decide that the data isn't of the expected type so it should be thrown away.

From the HTTP/1.1 Specification section 3.1.1.5. Content-Type:

A sender that generates a message containing a payload body SHOULD generate a Content-Type header field in that message unless the intended media type of the enclosed representation is unknown to the sender. If a Content-Type header field is not present, the recipient MAY either assume a media type of "application/octet-stream" ([RFC2046], Section 4.5.1) or examine the data to determine its type.

like image 136
slashingweapon Avatar answered Sep 17 '22 05:09

slashingweapon