What HTTP response headers are required to be sent from server to the client?
I working to optimize the HTTP response headers to minimize the HTTP response overhead. I know "overhead" is somewhat exaggerated, but I like a clean output.
I see a lot of websites, which sends redundant cache headers.
e.g.
It is redundant to specify both Expires
and Cache-Control: max-age
, or to specify both Last-Modified
and ETag
.
It depends on what you define as being required: there are no header fields that must be sent with every response no matter what the circumstances are, but there are header fields that you really should send. The only header field that comes close is Date
, but even it has circumstances under which it is not required.
In the parlance of RFC 2119, the term MUST means that something is a requirement of the specification and not meeting the requirement would be invalid. There are no header fields defined by RFCs 7230, 7231, 7232, 7233, 7234, or 7235 that MUST be sent by an origin server in all cases.
The following headers, for example, can be omitted (though you probably should send them):
An origin server MUST NOT send a
Date
header field if it does not have a clock capable of providing a reasonable approximation of the current instance in Coordinated Universal Time. An origin server MAY send aDate
header field if the response is in the 1xx (Informational) or 5xx (Server Error) class of status codes. An origin server MUST send aDate
header field in all other cases.
Note the last sentence of the quote. The Date
header field MUST be sent if the origin server is capable of providing a "reasonable approximation" of the date in UTC, but there is nothing stopping a server from misrepresenting itself.
An origin server MAY generate a
Server
field in its responses.
Aside from [a finite number of predefined cases], in the absence of
Transfer-Encoding
, an origin server SHOULD send aContent-Length
header field when the payload body size is known prior to sending the complete header section.
On the subject of Content-Length
and Transfer-Encoding
, note that neither can be sent, in which case the length of the response is "determined by the number of octets received prior to the server closing the connection."
If a
Content-Type
header field is not present, the recipient MAY either assume a media type ofapplication/octet-stream
(RFC2046, Section 4.5.1) or examine the data to determine its type.
There are circumstances under which particular headers can be required, for example:
Connection: close
in every response that does not have a 1xx status code.Allow
header in a 405 (Method Not Allowed) response.WWW-Authenticate
header field containing at least one challenge.It depends on the specifics of the response, but generally, a response from an origin server should have:
and either Content-Length, Transfer-Encoding or Connection: close.
If you want to do caching, add Cache-Control (e.g., with max-age); Expires isn't generally necessary any more. If you want clients to be able to validate, add Last-Modified or ETag.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With