Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do HTTP servers forbid underscores in HTTP header names

Tags:

http

nginx

apache

rfc

I had a problem with a custom HTTP SESSION_ID header not being transfered by nginx proxy.

I was told that underscores are prohibited according to the HTTP RFC.

Searching, I found that most servers like Apache or nginx define them as illegal in RFC2616 section 4.2, which says:

follow the same generic format as that given in Section 3.1 of RFC 822 [9]

RFC822 says:

The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon)

Underscore is decimal character 95 in the ASCII table in the 33-126 range.

What am I missing?

like image 341
white Avatar asked Apr 04 '14 07:04

white

People also ask

Can HTTP headers have special characters?

The value of the HTTP request header you want to set can only contain: Alphanumeric characters: a - z and A - Z. The following special characters: _ :;.,\/"'?!(){}[]@<>=-+*#$&`|~^%

Can you put anything in HTTP header?

You can, but you have to define a Header, then set its value. Like in the HttpWebRequest you can add any header, as long as its not one of the reserved ones.

What should HTTP headers include?

HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value. Whitespace before the value is ignored.

Are HTTP headers case sensitive?

HTTP headers are case insensitive. To simplify your code, URL Loading System canonicalizes certain header field names into their standard form. For example, if the server sends a content-length header, it's automatically adjusted to be Content-Length .

2 Answers

They are not forbidden, it's CGI legacy. See "Missing (disappearing) HTTP Headers".

If you do not explicitly set underscores_in_headers on;, nginx will silently drop HTTP headers with underscores (which are perfectly valid according to the HTTP standard). This is done in order to prevent ambiguities when mapping headers to CGI variables, as both dashes and underscores are mapped to underscores during that process.

like image 183
Alexey Ten Avatar answered Oct 09 '22 16:10

Alexey Ten

Underscores in header fields are allowed per RFC 7230, sec. 3.2., but are uncommon.

like image 25
Julian Reschke Avatar answered Oct 09 '22 16:10

Julian Reschke
Sign in to Comment

Related questions

Laravel: PDOException: could not find driver
How do I track file downloads
Best way to manage long-running php script?
How to set HSTS header from .htaccess only on HTTPS [closed]
Location for session files in Apache/PHP
Apache Server (xampp) doesn't run on Windows 10 (Port 80)
Why is my $_ENV empty?
Httpd returning 503 Service Unavailable with mod_proxy for Tomcat 8
.htaccess rewrite subdomain to directory
How to force https on elastic beanstalk?
Get HTTP code from org.apache.http.HttpResponse
How to install Apache Bench on Windows 7? [closed]
Htaccess: add/remove trailing slash from URL
laravel the requested url was not found on this server
how to create virtual host on XAMPP [duplicate]
How can I implement rate limiting with Apache? (requests per second)
Apache: Invalid command ProxyRequests when setting up jenkins
WAMP won't turn green. And the VCRUNTIME140.dll error
how to configuring a xampp web server for different root directory
How can I view the complete httpd configuration?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!