604 Part IV: Appendixes
Custom Response Headers
In addition to request headers, it is possible to have custom response headers. Developers
are free to invent whatever response header they like using the X- prefix. Some server-side
frameworks and environments commonly add such headers as a form of response header-
based marketing:X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6-pl6-gentooAs with the Server header, some administrators will remove these headers because
they constitute information leakage. You may also find that some headers not discussed in
the previous section are found in responses. For example, various content rating systemsResponse Header Description Example
Set-Cookie Not part of the HTTP 1.1 specification,
a cookie header may contain numerous
name-value pairs to save, as well as
information to control how long the
cookie lives, what domains and paths it
is associated with, and various security
features. The basic syntax of the header
is shown here:
Set-Cookie: <name>=<value>
[; <name>=<value>]...
[; expires=<date>][;
domain=<domain_name>]
[; path=<some_path>]
[; secure][; httponly]
Chapter 6 has more details on the use
of cookies.Set-Cookie: SESSIONID=79
9B7A97E5EE82158C1E933E40
1A8C95; Path=/Vary Determines that a resource may be different
as based upon the requested header. For
example, in a content-negotiated form the
resource may vary by the type of client
making the request. If something not in the
request is responsible for the variability of
the resource, the origin server may return
a * value. Warning: some caches may have
problems with varied content.Vary: User-AgentVary: Accept-EncodingVary: *WWW-
AuthenticateIncluded with a 401 (Unauthorized) response
message. The field consists of at least one
challenge that indicates the authentication
scheme and parameters applicable to the
request made by the client.WWW-Authenticate: Basic
Realm=CTUTABLE B-8 Common HTTP 1.1 Server Response Headers (continued)