HTTP is written by Hypertext Transfer Protocol. The entire World Wide Web uses this protocol. Almost most of the content you see in your browser is transmitted through the http protocol, such as this article.
HTTP Headers are HTTP requests and corresponding cores, and it carries information about client browsers, request pages, servers, etc.
When you type a url in the browser address bar, your browser will be similar to the following http request:
GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: net.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache
The first line is called Request Line. It describes the basic information of this request, and the rest is HTTP headers.
After the request is completed, your browser may receive the following HTTP response:
HTTP/1.x 200 OK
Transfer-Encoding: chunked
Date: Sat, 28 Nov 2009 04:36:25 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: W3 Total Cache/0.8
Pragma: public
Expires: Sat, 28 Nov 2009 05:36:25 GMT
Etag: pub1259380237;gz
Cache-Control: max-age=3600, public
Content-Type: text/html; charset=UTF-8
Last-Modified: Sat, 28 Nov 2009 03:50:37 GMT
X-Pingback: http://net.tutsplus.com/xmlrpc.php
Content-Encoding: gzip
Vary: Accept-Encoding, Cookie, User-Agent
<!-- ... rest of the html ... -->
The first line is called Status Line, which is followed by http headers. After the blank line is finished, the content will be output (in this case, some html output).
But you can't see HTTP headers when you look at the source code of the page, although they are sent to the browser together with what you can see.
This HTTP request also sends some requests for receiving other resources, such as images, css files, js files, etc.
Let's take a look at the details below.
The following FireFox extensions can help you analyze HTTP headers:
1. firebug
2.Live HTTP Headers
3. In PHP:
Below the article, you will see some examples of using php demonstration.
The first line, called the first line, contains three parts:
The remaining sections are each line with a Name:Value pair. They contain a variety of information about requests and your browser. For example, User-Agent indicates your browser version and the operating system you are using. Accept-Encoding will tell the server that your browsing can accept compressed output similar to gzip.
Most of these headers are optional. HTTP requests can even be reduced to this:
GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: net.tutsplus.com
And you can still receive a valid response from the server.
The three most common request types are: GET, POST and HEAD. You may already be familiar with the first two during the writing process of html.
Most of the html, images, js, css, ... that are transmitted to the browser are requested through the GET method. It is the main way to get data.
For example, to get a Nettus+ article, the first line of the http request usually looks like this:
GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Once the html is loaded, the browser will send a GET request to get the image, just like this:
GET /wp-content/themes/tuts_theme/images/header_bg_tall.png HTTP/1.1
The form can also be sent through the GET method. Here is an example:
<form action=foo.php method=GET>
First Name: <input name=first_name type=text />
Last Name: <input name=last_name type=text />
<input name=action type=submit value=Submit />
</form>
When this form is submitted, the HTTP request will look like this:
GET /foo.php?first_name=John&last_name=Doe&action=Submit HTTP/1.1
...
You can send form input to the server by appending it to the query string.
Although you can attach data to the url through the GET method to pass it to the server, it is more appropriate to use POST to send data to the server in many cases. It is unrealistic to send a large amount of data through GET, and it has certain limitations.
It is common to use POST requests to send form data. Let's change the above example to use POST:
<form action=foo.php method=POST>
First Name: <input name=first_name type=text />
Last Name: <input name=last_name type=text />
<input name=action type=submit value=Submit />
</form>
Submitting this form will create an HTTP request as follows:
POST /foo.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/test.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
first_name=John&last_name=Doe&action=Submit
Here are three things to note:
POST method requests can also be used on AJAX, applications, cURL…. And all file upload forms are required to use POST.
HEAD and GET are very similar, except that HEAD does not accept the content part of the HTTP response. When you send a HEAD request, it means you are only interested in the HTTP header, not the document itself.
This method allows the browser to determine whether the page has been modified and thus control the cache. It can also be determined whether the requested document exists.
For example, if you have many links on your website, you can simply send them HEAD requests separately to determine whether there are dead links, which is much faster than using GET.
When the browser sends an HTTP request, the server will respond to the request through an HTTP response. If you don't care about the content, then the request will look like this:
The first valuable information is the agreement. Currently, the server will use HTTP/1.x or HTTP/1.1.
Next a brief message represents the status. Code 200 means that our request has been sent successfully, and the server will return the requested document after the header information.
We've all seen page 404. When I request a path that does not exist from the server, the server responds to us with a 404 instead of 200.
The rest of the response is similar to the HTTP request. These are about server software, when pages/files have been modified, mime type, etc...
Similarly, these header information is optional.
As mentioned above, 200 is used to indicate that the request is successful.
206 Partial ContentIf an application only requests files within a certain range, it will return 206.
This is usually used for download management, breakpoint continuation or file chunking downloads.
404 Not FoundIt's easy to understand
401 UnauthorizedPassword protected pages will return to this status. If you do not enter the correct password, you will see the following information in your browser:
Note that this is just a password-protected page. The pop-up box that requests to enter a password looks like this:
403 ForbiddenIf you do not have permission to access a page, it will return to the 403 status. This usually happens when you try to open a folder without an index page. If the server settings do not allow viewing of directory contents, you will see a 403 error.
Other methods also send permission restrictions, such as you can block them through your IP address, which requires some htaccess assistance.
order allow,deny
deny from 192.168.44.201
deny from 224.39.163.12
deny from 172.16.7.92
allow from all
302 (or 307) Moved Temporarily and 301 Moved PermanentlyThese two states will appear when the browser redirects. For example, you use a URL shortening service like bit.ly. This is also how they know who clicked on their link.
302 and 301 are very similar to browsers, but there are some differences for search engine crawlers. For example, if your website is being maintained, you will redirect the client browser to another address with 302. Search engine crawlers will reindex your page in the future. But if you use 301 redirection, it means you tell the search engine crawler: your website has been permanently moved to the new address.
500 Server Error (Internal Server Error)This code usually appears when the page script crashes. Most CGI scripts do not output error messages to the browser like PHP. If a fatal error occurs, they will only send a status code of 500. At this time, you need to check the server error log to troubleshoot.
Complete listYou can find the full HTTP status code description here. Or check it here (http://tools.VeVb.com/table/http_status_code).
Now let's look at some common HTTP request information in HTTP headers.
All this header information can be found in PHP's $_SERVER array. You can also use the getallheaders() function to get all header information at once.
An HTTP request will be sent to a specific IP address, but most servers have the ability to host multiple websites under the same IP address, so the server must know which domain name the browser requests.
Host: rlog.cn
This is just a basic host name, including domain names and child domain names.
In PHP, you can view it via $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'].
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
This head can carry the following information:
This is the general method used by some websites to collect visitor information. For example, you can tell if a visitor is using your phone to visit your website and then decide whether to direct them to a mobile website that performs well at low resolution.
In PHP, User-Agent can be obtained through $_SERVER['HTTP_USER_AGENT']
if ( strstr($_SERVER['HTTP_USER_AGENT'],'MSIE 6') ) {
echo Please stop using IE6!;
}
Accept-Language: en-us,en;q=0.5
This information can indicate the user's default language settings. If the website has a different language version, you can use this information to redirect the user's browser.
It can be carried in multiple languages by comma segmentation. The first one will be the preferred language, and other languages will carry a q value to indicate the user's preference for the language (0~1).
Use $_SERVER[HTTP_ACCEPT_LANGUAGE] in PHP to obtain this information.
if (substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2) == 'fr') {
header('Location: http://french.mydomain.com');
}
Accept-Encoding: gzip,deflate
Most modern browsers support gzip compression and will report this information to the server. At this time, the compressed HTML will be sent to the browser. This can reduce file size by nearly 80% to save download time and bandwidth.
This information can be obtained using $_SERVER[HTTP_ACCEPT_ENCODING] in PHP. Then the value will be automatically detected when the ob_gzhandler() method is called, so you don't need to manually detect it.
// enables output buffering
// and all output is compressed if the browser supports it
ob_start('ob_gzhandler');
If a page has been cached in your browser, the next time you browse the browser will check whether the document has been modified, and it will send a header like this:
If-Modified-Since: Sat, 28 Nov 2009 06:38:19 GMT
If it has not been modified since this time, the server will return 304 Not Modified and will not return the content. The browser will automatically read content in the cache
In PHP, you can use $_SERVER['HTTP_IF_MODIFIED_SINCE'] to detect.
// assume $last_modify_time was the last the output was updated
// did the browser send If-Modified-Since header?
if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
// if the browser cache matches the modified time
if ($last_modify_time == strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
// send a 304 header, and no content
header(HTTP/1.1 304 Not Modified);
exit;
}
}
There is also an HTTP header called Etag, which is used to determine whether the cached information is correct, and we will explain it later.
As the name implies, it will send cookie information stored in your browser to the server.
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120; foo=bar
It is a set of name-value pairs divided by semicolons. Cookies can also include session id.
In PHP, a single cookie can be obtained by accessing the $_COOKIE array. You can directly use the $_SESSION array to get the session variable. If you need the session id, then you can use the session_id() function instead of the cookie.
echo $_COOKIE['foo'];
// output: bar
echo $_COOKIE['PHPSESSID'];
// output: r2t5uvjq435r4q7ib3vtdjq120
session_start();
echo session_id();
// output: r2t5uvjq435r4q7ib3vtdjq120
As the name implies, the header will contain referring url information.
For example, I visited the home page of Nettus+ and clicked on a link, and this header will be sent to the browser:
Referer: http://net.tutsplus.com/
In PHP, the value can be obtained by $_SERVER['HTTP_REFERER'].
if (isset($_SERVER['HTTP_REFERER'])) {
$url_info = parse_url($_SERVER['HTTP_REFERER']);
// is the surfer coming from Google?
if ($url_info['host'] == 'www.google.com') {
parse_str($url_info['query'], $vars);
echo You searched on Google for this keyword: . $vars['q'];
}
}
// if the referring url was:
// http://www.google.com/search?source=ig&hl=en&rlz=&=&q=http+headers&aq=f&oq=&aqi=g-p1g9
// the output will be:
// You searched on Google for this keyword: http headers
You may have noticed the word referrer is misspelled as referer. Unfortunately it made into the official HTTP specifications like that and got stuck.
When a page requires authorization, the browser will pop up a login window. After entering the correct account, the browser will send an HTTP request, but it will contain a header:
Authorization: Basic bXl1c2VyOm15cGFzcw==
This part of the information contained in the header is base64 encoded. For example, base64_decode('bXl1c2VyOm15cGFzcw== ') will be converted to 'myuser:mypass' .
In PHP, this value can be obtained with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].
We will explain more details in the WWW-Authenticate section.
Now let me understand some HTTP response information in common HTTP Headers.
In PHP, you can set the header response information through header(). PHP has automatically sent some necessary header information, such as loaded content, setting cookies, etc... You can see the sent and to be sent through the headers_list() function. You can also use the headers_sent() function to check whether the header information has been sent.
w3.org is defined as: The Cache-Control general-header field is used to specify directives which MUST be obeyed by all caching mechanisms along the request/response chain. Where caching mechanisms contains some gateway and proxy information that your ISP may use.
For example:
Cache-Control: max-age=3600, public
public means that the response can be cached by anyone, and max-age indicates the number of seconds the cache is valid. Allows your website to be cached to reduce download time and bandwidth greatly, while also improving browser loading speed.
You can also disable cache by setting the no-cache command:
Cache-Control: no-cache
For more details, please see w3.org.
This header contains the mime-type of the document. The browser will decide how to parse the document based on this parameter. For example, an html page (or a php page with html output) will return something like this:
Content-Type: text/html; charset=UTF-8
'text ' is the document type, and 'html ' is the document subtype. This header also includes more information, such as charset.
If it is a picture, a response like this will be sent:
Content-Type: image/gif
The browser can use mime-type to decide whether to use external programs or to extend the document itself. The following example down call to Adobe Reader:
Content-Type: application/pdf
Load directly, Apache will usually automatically judge the mime-type of the document and add appropriate information to the header. Moreover, most browsers have a certain degree of fault tolerance. If the header does not provide or provides the information incorrectly, it will automatically detect mime-type.
You can find a list of commonly used mime-types here.
In PHP, you can use finfo_file() to detect the ime-type of the file.
This header will tell the browser to open a file download window instead of trying to parse the contents of the response. For example:
Content-Disposition: attachment; filename=download.zip
It causes the browser to have a dialog like this:
Note that the Content-Type header information that suits it will also be sent.
Content-Type: application/zip
Content-Disposition: attachment; filename=download.zip
When the content is to be transferred to the browser, the server can use this header to inform the browser of the size (bytes) of the file to be transferred.
Content-Length: 89123
This information is quite useful for file downloads. This is why the browser knows the progress of the download.
For example, here I wrote a virtual script to simulate a slow download.
// it's a zip file
header('Content-Type: application/zip');
// 1 million bytes (about 1megabyte)
header('Content-Length: 1000000');
// load a download dialog, and save it as download.zip
header('Content-Disposition: attachment; filename=download.zip');
// 1000 times 1000 bytes of data
for ($i = 0; $i < 1000; $i++) {
echo str_repeat(.,1000);
// sleep to slow down the download
usleep(50000);
}
The result will be like this:
Now, I comment out the Content-Length header:
// it's a zip file
header('Content-Type: application/zip');
// the browser won't know the size
// header('Content-Length: 1000000');
// load a download dialog, and save it as download.zip
header('Content-Disposition: attachment; filename=download.zip');
// 1000 times 1000 bytes of data
for ($i = 0; $i < 1000; $i++) {
echo str_repeat(.,1000);
// sleep to slow down the download
usleep(50000);
}
The result became this:
This browser will only tell you how much you have downloaded, but won't tell you how much you need to download in total. And the progress bar will not show progress.
This is another header information generated for cache. It will look like this:
Etag: pub1259380237;gz
The server may respond to this information with each sent file to the browser. This value can contain the last modified date, file size, or file checksum of the document. Browsing will cache it with the received document. The next time the browser requests the same file again, the following HTTP request will be sent:
If-None-Match: pub1259380237;gz
If the requested document Etag value is consistent with it, the server will send a 304 status code instead of 2oo. And no content is returned. The browser will load the file from the cache at this time.
As the name suggests, this header information uses GMT format to indicate the last modification time of the document:
Last-Modified: Sat, 28 Nov 2009 03:50:37 GMT
$modify_time = filemtime($file);
header(Last-Modified: . gmdate(D, d MYH:i:s, $modify_time) . GMT);
It provides another caching mechanism. The browser may send a request like this:
If-Modified-Since: Sat, 28 Nov 2009 06:38:19 GMT
We have already discussed it in the If-Modified-Since section.
This header is used for redirection. If the response code is 301 or 302, the server must send the header. For example, when you visit http://www.nettus.com, the browser will receive the following response:
HTTP/1.x 301 Moved Permanently
...
Location: http://net.tutsplus.com/
...
In PHP you can redirect visitors in this way:
header('Location: http://net.tutsplus.com/');
By default, the 302 status code will be sent. If you want to send 301, just write it like this:
header('Location: http://net.tutsplus.com/', true, 301);
When a website needs to set or update the cookie information you browse, it will use such a header:
Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Sun, 29-Nov-2009 21:42:28 GMT
Set-Cookie: session-id=120-7333518-8165026; path=/; domain=.amazon.com; expires=Sat Feb 27 08:00:00 2010 GMT
Each cookie will be used as a separate header. Note that setting cookies through js will not be reflected in the HTTP header.
In PHP, you can set cookies through the setcookie() function, and PHP will send appropriate HTTP headers.
setcookie(TestCookie, foobar);
It will send a header like this:
Set-Cookie: TestCookie=foobar
If the expiration time is not specified, the cookie will be deleted after the browser is closed.
A website may send this header information over HTTP to verify users. A pop-up window will open when the browser sees this response in the head.
WWW-Authenticate: Basic realm=Restricted Area
It will look like this:
In a chapter of the PHP manual, there is a simple code that demonstrates how to do something like this with PHP:
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm=My Realm');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo <p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>;
echo <p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>;
}
This header is usually set when the return content is compressed.
Content-Encoding: gzip
In PHP, if you call the ob_gzhandler() function, this header will be automatically set.
Original address: http://css9.net/all-about-http-headers/