Web Development help: Learn about the side of HTTP headers

Source: Internet
Author: User
Tags file size file upload header session id mysql php and sleep first row

Whether it's doing the front end or the back end, you'll have to deal with HTTP headers, and it's definitely helpful for web development. This article allows me to study the side of the HTTP headers.

What is HTTP Headers

HTTP is written by "Hypertext Transfer Protocol," which is used throughout the World Wide Web, and almost all of what you see in your browser is transmitted through HTTP protocols, such as this article.

HTTP headers is the HTTP request and the corresponding core, it hosted on the client browser, request page, server and other related information.


When you type a URL in the browser's address bar, your browser will resemble the following HTTP request:

GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: net.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache

The first line, called "Request Lines", describes the basic information of the request, and the rest is the HTTP headers.

After the request is complete, your browser may receive an HTTP response such as the following:

HTTP/1.x 200 OK
Transfer-Encoding: chunked
Date: Sat, 28 Nov 2009 04:36:25 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: W3 Total Cache/0.8
Pragma: public
Expires: Sat, 28 Nov 2009 05:36:25 GMT
Etag: "pub1259380237;gz"
Cache-Control: max-age=3600, public
Content-Type: text/html; charset=UTF-8
Last-Modified: Sat, 28 Nov 2009 03:50:37 GMT
X-Pingback: http://net.tutsplus.com/xmlrpc.php
Content-Encoding: gzip
Vary: Accept-Encoding, Cookie, User-Agent
<!-- ... rest of the html ... -->

The first line is called "Status Line", which is followed by HTTP headers, which starts to output when the empty line is finished (some HTML output in this case).

But you can't see the HTTP headers when you look at the page's source code, although they are sent to the browser along with what you can see.

This HTTP request also sends out some requests for other resources, such as pictures, CSS files, JS files, and so on.

Let's take a look at the details below.

How to see HTTP Headers

The following Firefox extensions can help you analyze HTTP headers:

1. Firebug

2.Live HTTP Headers

3. In PHP:

    • Getallheaders () is used to get the request head. You can also use the $_server array.
    • Headers_list () is used to get the response head.

The article below will see some examples of using PHP demonstrations.

Structure of HTTP Request

The first row, known as "primary line," contains three parts:

    • "Method" indicates what type of request this is. The most common types of requests are get, POST, and head.
    • "Path" reflects the path behind the host. For example, when you ask for "http://net.tutsplus.com/tutorials/other/top-20-mysql-best-practices/", Path will be "/tutorials/other/ Top-20-mysql-best-practices/".
    • "Protocol" contains "HTTP" and version number, modern browsers will use 1.1.

The remainder of each line is a "name:value" pair. They contain a wide variety of information about the request and your browser. For example, "User-agent" indicates your browser version and the operating system you are using. "Accept-encoding" will tell the server that your browsing can accept a compressed output similar to gzip.

Most of these headers are optional. HTTP requests can even be condensed into this way:

GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: net.tutsplus.com

And you can still receive a valid response from the server.

Request type

The three most common types of requests are: Get,post and head, and you may already be familiar with the first two from the HTML authoring process.

Get: Getting a document

Most are transmitted to the browser's html,images,js,css, ... The request is made through the Get method. It is the primary way to get data.

For example, to get a nettuts+ article, the first line of HTTP request usually looks like this:

GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1

Once the HTML load is complete, the browser sends a GET request to obtain the picture, as follows:

GET /wp-content/themes/tuts_theme/images/header_bg_tall.png HTTP/1.1

The form can also be sent through the Get method, which is the following example:

<form action="foo.php" method="GET">
First Name: <input name="first_name" type="text" />
Last Name: <input name="last_name" type="text" />
<input name="action" type="submit" value="Submit" />

When this form is submitted, HTTP request will look like this:

GET /foo.php?first_name=John&last_name=Doe&action=Submit HTTP/1.1

You can send form input to the server by appending it to the query string.

POST: Sending data to the server

Although you can attach data to the server via the Get method, it is more appropriate to use post to send data to the server in many cases. Sending large amounts of data via get is unrealistic, and it has some limitations.

It is common practice to send form data using POST requests. Let's go. The above example is converted to using Post mode:

<form action="foo.php" method="POST">
First Name: <input name="first_name" type="text" />
Last Name: <input name="last_name" type="text" />
<input name="action" type="submit" value="Submit" />

Submitting this form creates an HTTP request as follows:

POST /foo.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/test.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 43

Here are three places to look for:

    • The path to the first line has become a simple/foo.php and no query string has been made.
    • New Content-type and Content-lenght headers, which provide information about sending information.
    • All data is sent after headers, in the form of a query string.

Post-mode requests can also be used in Ajax, applications, CURL ... Above And all file upload forms are required to use the Post method.

Head: Receive header information

The head and get are very similar, except that the head does not accept the content portion of the HTTP response. When you send a head request, that means you're only interested in HTTP headers, not the document itself.

This method allows the browser to determine whether the page has been modified to control caching. You can also determine whether the requested document exists.

For example, if you have a lot of links on your site, you can simply send them a head request to determine whether there is a dead chain, which is much faster than using get.

HTTP response Structure

When the browser sends an HTTP request, the server responds to the request with an HTTP response. If you don't care about the content, the request looks like this:

The first valuable information is the agreement. The server now uses either http/1.x or http/1.1.

Next, a brief message represents the state. Code 200 means that our request has been sent successfully and the server will return the requested document after the header information.

We've all seen the "404" page. When I request a non-existent path to the server, the server uses 404来 instead of 200 to respond to us.

The remaining response content is similar to the HTTP request. The content is about server software, when pages/files have been modified, MIME type, and so on ...

Similarly, the header information is optional.

HTTP status Code
    • 200 is used to indicate that the request was successful.
    • 300来 represents redirection.
    • 400 is used to indicate that a request is having a problem.
    • 500 is used to indicate that there is a problem with the server.

200 Success (OK)

As mentioned earlier, 200 is used to indicate successful requests.

206 Parts (Partial content)

If an application only requests a file within a range, it returns 206.

This is often used for download management, breakpoint renewal, or File block downloads.

404 Not Found (not Found)

It's easy to understand.

401 Unauthorized (Unauthorized)

A password-protected page returns this state. If you do not enter the correct password, you will see the following information in the browser:

Note that this is only a password-protected page, and the pop-up box requesting the password is the following:

403 are forbidden (forbidden)

If you don't have permission to access a page, it returns 403 states. This usually happens when you try to open a folder without the index page. If your server settings do not allow you to view directory content, you will see 403 errors.

Some other ways will also send permission restrictions, such as you can block by IP address, which requires some htaccess assistance.

order allow,deny
deny from
deny from
deny from
allow from all

302 (or 307) temporary movement (moved temporarily) and 301 permanent move (moved permanently)

These two states will appear when the browser is redirected. For example, you use a bit.ly-like URL shortening service. This is how they learn who clicked on their link.

302 and 301 are very similar to browsers, but there are some differences for search engine crawlers. For example, if your site is being maintained, you will redirect the client browser to another address with 302. Search engine crawlers will be indexing your pages in the future. But if you use a 301 redirect, you're telling the search engine crawler that your site has been permanently moved to the new address.

500 Server error (Internal server error)

This code usually appears when the page script crashes. Most CGI scripts do not output error messages to browsers like PHP. If a fatal error occurs, they will only send a 500 status code. At this point you need to check the server error log to arrange errors.

The complete list

Here you can find the complete HTTP status code description.

HTTP requests in HTTP Headers

Now let's look at some of the HTTP request information that is common in HTTP headers.

All of these header information can be found in the PHP $_server array. You can also use the getallheaders () function to get all the header information at once.


An HTTP request is sent to a specific IP address, but most servers have the ability to host multiple Web sites under the same IP address, so the server must know which domain name the browser is requesting.

Host: rlog.cn

This is just the basic hostname, which contains the domain name and the child domain name.

In PHP, you can view it by $_server["Http_host" or $_server["SERVER_NAME".


User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

This head can carry the following message:

    • The browser name and version number.
    • The operating system name and version number.
    • The default language.

This is the general method used by some websites to collect visitors ' information. For example, you can tell whether a visitor is using a mobile phone to access your site, and then decide whether to direct them to a mobile site that behaves well at a low resolution.

In PHP, you can get user-agent by $_server["Http_user_agent"]

if ( strstr($_SERVER["HTTP_USER_AGENT"],"MSIE 6") ) {
echo "Please stop using IE6!";


Accept-Language: en-us,en;q=0.5

This information can be used to describe the default language settings for the user. If the site has a different language version, then this information can be used to redirect the user's browser.

It can be separated by commas to carry multiple languages. The first will be the preferred language, and other languages will carry a "Q" value to indicate the user's preference for the language (0~1).

Use $_server["Http_accept_language" in PHP to get this information.

if (substr($_SERVER["HTTP_ACCEPT_LANGUAGE"], 0, 2) == "fr") {
header("Location: http://french.mydomain.com");


Accept-Encoding: gzip,deflate

Most modern browsers support gzip compression and report this information to the server. The server then sends the compressed HTML to the browser. This can reduce the file size by nearly 80% to save download time and bandwidth.

You can use $_server["http_accept_encoding" in PHP to get this information. The value is automatically detected when the Ob_gzhandler () method is called, so you do not need to manually detect it.

// enables output buffering
// and all output is compressed if the browser supports it


If a page has been cached in your browser, the next time you browse the browser will detect whether the document has been modified, then it will send the head:

If-Modified-Since: Sat, 28 Nov 2009 06:38:19 GMT

If it has not been modified since this time, the server will return "304 not Modified" and no more content will be returned. The browser will automatically read the contents of the cache

In PHP, you can use $_server["http_if_modified_since" to detect.

// assume $last_modify_time was the last the output was updated
// did the browser send If-Modified-Since header?
// if the browser cache matches the modify time
if ($last_modify_time == strtotime($_SERVER["HTTP_IF_MODIFIED_SINCE"])) {
// send a 304 header, and no content
header("HTTP/1.1 304 Not Modified");

There is also an HTTP header called ETag, which is used to determine if the cached information is correct, and we will explain it later.


As the name suggests, he will send the cookie information stored in your browser to the server.

Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120; foo=bar

It is a semicolon-separated set of name-value pairs. Cookies can also contain session IDs.

In PHP, a single cookie can access the $_cookie array. You can get the session variable directly with the $_session array. If you need a session ID, you can use the session_id () function instead of a cookie.

echo $_COOKIE["foo"];
// output: bar
// output: r2t5uvjq435r4q7ib3vtdjq120
echo session_id();
// output: r2t5uvjq435r4q7ib3vtdjq120


As the name suggests, the header will contain referring URL information.

For example, I visited Nettuts+ 's home page and clicked on a link that would send the header message to the browser:
Referer: http://net.tutsplus.com/

In PHP, you can get this value by $_server["Http_referer".

if (isset($_SERVER["HTTP_REFERER"])) {
$url_info = parse_url($_SERVER["HTTP_REFERER"]);
// is the surfer coming from Google?
if ($url_info["host"] == "www.google.com") {
parse_str($url_info["query"], $vars);
echo "You searched on Google for this keyword: ". $vars["q"];
// if the referring url was:
// http://www.google.com/search?source=ig&hl=en&rlz=&=&q=http+headers&aq=f&oq=&aqi=g-p1g9
// the output will be:
// You searched on Google for this keyword: http headers

You may have noticed the word "referrer" is misspelled as "Referer". Unfortunately it made into the official HTTP specifications like and got stuck.


When a page requires authorization, the browser will pop up a login window, enter the correct account, the browser will send an HTTP request, but this time will include such a head:

Authorization: Basic bXl1c2VyOm15cGFzcw==

This part of the information contained in the head is Base64 encoded. For example, Base64_decode (' bxl1c2vyom15cgfzcw== ') will be converted to ' Myuser:mypass '.

In PHP, this value can be obtained by $_server["Php_auth_user" and $_server["PHP_AUTH_PW".

More details will be explained in the Www-authenticate section.

HTTP response in HTTP Headers

Let me now look at some common HTTP response information in the HTTP headers.

In PHP, you can use header () to set the header response information. PHP has automatically sent some necessary header information, such as loading content, setting cookies and so on ... You can see the header information that has been sent and will be sent through the Headers_list () function. You can also use the headers_sent () function to check if the header information has been sent.


W3.org is defined as: "The Cache-control general-header the field is used to specify directives, which must are obeyed by all caching Anisms along the request/response chain. "Caching mechanisms" contains some gateways and proxy information that your ISP might use.

For example:

Cache-Control: max-age=3600, public

"Public" means that the response can be cached by anyone, and "Max-age" indicates the number of seconds that the cache is valid. Allowing your site to be cached down greatly reduces download time and bandwidth while also improving the loading speed of browsers.

You can also disable caching by setting the "no-cache" directive:

Cache-Control: no-cache

For more information, see w3.org.


This header contains the "Mime-type" of the document. The browser will decide how to parse the document based on this parameter. For example, an HTML page (or a PHP page with HTML output) would return something like this:

Content-Type: text/html; charset=UTF-8

' Text ' is a document type, and ' html ' is a genre. The head also includes more information, such as CharSet.

If it is a picture, the response will be sent:

Content-Type: image/gif

The browser can use Mime-type to decide whether to open the document using an external program or its own extension. The following example drops the call to Adobe Reader:

Content-Type: application/pdf

Directly loaded, Apache usually automatically determines the mime-type of the document and adds the appropriate information to the head. And most browsers have a certain degree of fault tolerance, it will automatically detect Mime-type if the header is not provided or the information is supplied incorrectly.

You can find a list of common mime-type here.

In PHP you can use Finfo_file () to detect the ime-type of files.


This header information will tell the browser to open a file download window instead of trying to parse the content of the response. For example:

Content-Disposition: attachment; filename="download.zip"

He will cause the browser to appear in such a dialog box:

Note that the Content-type header information that is appropriate for it will also be sent

Content-Type: application/zip
Content-Disposition: attachment; filename="download.zip"


When content is about to be transferred to the browser, the server can tell the browser the size of the file to be routed (bytes) by that header.

Content-Length: 89123

This information is quite useful for file downloads. That's why browsers know the download progress.

For example, here I wrote a virtual script to simulate a slow download.

// it"s a zip file
header("Content-Type: application/zip");
// 1 million bytes (about 1megabyte)
header("Content-Length: 1000000");
// load a download dialogue, and save it as download.zip
header("Content-Disposition: attachment; filename="download.zip"");
// 1000 times 1000 bytes of data
for ($i = 0; $i < 1000; $i++) {
echo str_repeat(".",1000);
// sleep to slow down the download

The result will be this:

Now, I'll comment out the content-length head:

// it"s a zip file
header("Content-Type: application/zip");
// the browser won"t know the size
// header("Content-Length: 1000000");
// load a download dialogue, and save it as download.zip
header("Content-Disposition: attachment; filename="download.zip"");
// 1000 times 1000 bytes of data
for ($i = 0; $i < 1000; $i++) {
echo str_repeat(".",1000);
// sleep to slow down the download

The result becomes this:

This browser will only tell you how much has been downloaded, but will not tell you how much you need to download altogether. The progress bar also does not show progress.


This is another header message that is generated for caching. It would look like this:

Etag: "pub1259380237;gz"

The server may respond to the browser with each of the sent files. This value can contain the last modified date of the document, the file size, or the file checksum. Browsing caches it with the documents it receives. The next time the browser requests the same file again, the following HTTP request will be sent:

If-None-Match: "pub1259380237;gz"

If the requested document ETag value is consistent with it, the server will send a 304 status code instead of 2oo. And does not return content. The browser loads the file from the cache at this time.


As the name suggests, this header information indicates the last modification time of the document in GMT format:

Last-Modified: Sat, 28 Nov 2009 03:50:37 GMT

$modify_time = filemtime($file);
header("Last-Modified: " . gmdate("D, d M Y H:i:s", $modify_time) . " GMT");

It provides a different caching mechanism. The browser may send such a request:

If-Modified-Since: Sat, 28 Nov 2009 06:38:19 GMT

We've talked about it in the If-modified-since section.


This head is for redirection. If the response code is 301 or 302, the server must send the header. For example, when you visit http://www.nettuts.com, the browser receives the following response:

HTTP/1.x 301 Moved Permanently
Location: http://net.tutsplus.com/

In PHP you can redirect visitors in this way:
header("Location: http://net.tutsplus.com/");

The default is to send a 302 status code, if you want to send 301, so write:

header("Location: http://net.tutsplus.com/", true, 301);


When a Web site needs to set up or update the cookie information you are browsing, it uses this header:

Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Sun, 29-Nov-2009 21:42:28 GMT
Set-Cookie: session-id=120-7333518-8165026; path=/; domain=.amazon.com; expires=Sat Feb 27 08:00:00 2010 GMT

Each cookie is used as a separate header message. Note that setting cookies through JS will not be reflected in the HTTP header.

In PHP, you can use the Setcookie () function to set the cookie,php to send the appropriate HTTP headers.

setcookie("TestCookie", "foobar");

It sends a header message like this:

Set-Cookie: TestCookie=foobar

If you do not specify an expiration time, the cookie is deleted after the browser is closed.


A Web site may send this header message via HTTP to authenticate the user. The browser opens a pop-up window when it sees a response to the head.

WWW-Authenticate: Basic realm="Restricted Area"

It would look like this:

In a chapter in the PHP manual, there is a simple code that demonstrates what to do with PHP:

if (!isset($_SERVER["PHP_AUTH_USER"])) {
header("WWW-Authenticate: Basic realm="My Realm"");
header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button";
} else {
echo "<p>Hello {$_SERVER["PHP_AUTH_USER"]}.</p>";
echo "<p>You entered {$_SERVER["PHP_AUTH_PW"]} as your password.</p>";


This header is usually set when the return content is compressed.

Content-Encoding: gzip

In PHP, if you call the Ob_gzhandler () function, this header will automatically be set.

Source of translation: http://rlog.cn/?p=521

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.