Where could I find an (almost) complete list of HTTP headers that are
used by most modern browsers and/or proxy servers?

I thought http://tools.ietf.org/html/rfc2616m would contain a list of
most of the important ones.  However there are some very common ones
not listed in that document like the Cookie: header and the X-
Forwarded-For: header.

I'm not sure if that's because those are non-standard headers that the
browser companies introduced and which became widely adopted without
ever being formalized in an RFC... but in any case, is there a list
anywhere of all headers in common use regardless of whether they're
officially standardized or not?  All the ones that are at least as
common as, say, Cookie:, which is extremely common although not listed
in RFC 2616?

I tried Googling certain combinations of obscure headers like
"x-forwarded-for" cookie "request-range"
hoping that any page that came up would be a list of almost all
meaningful HTTP headers, but couldn't find anything that way.

-Bennett

[ Post a follow-up to this message ]

Bennett Haselton <bennett@peacefire.org> wrote:
> I thought http://tools.ietf.org/html/rfc2616m would contain a list of
> most of the important ones [...]

According to the RFC index at www.rfc-editor.org, 2616 was updated
by 2817. A quick google ("rfc cookie") suggests that RFC 2965 defines
cookies.

There doesn't seem to be a complete set of HTTP request/response headers,
though

Hope this helps,
Chris

[ Post a follow-up to this message ]

On 3 Aug, 11:32, Chris Davies <chris-use...@roaima.co.uk> wrote:
> Bennett Haselton <benn...@peacefire.org> wrote: 
>
> According to the RFC index atwww.rfc-editor.org, 2616 was updated
> by 2817. A quick google ("rfc cookie") suggests that RFC 2965 defines
> cookies.
>
> There doesn't seem to be a complete set of HTTP request/response headers,
> though
>
> Hope this helps,
> Chris


I don't know if they are specifically excluded or qualified by the
HTTP specs, but X- headers in HTTP seem to be used in the same way as
in SMTP - they are passed on but are information only / only processed
by end-points.

What is the problem you are trying to solve?

C.

[ Post a follow-up to this message ]

On Aug 7, 5:23 am, "C." <colin.mckin...@gmail.com> wrote:
> On 3 Aug, 11:32, Chris Davies <chris-use...@roaima.co.uk> wrote:
> 
> 
> 
> 
>
> I don't know if they are specifically excluded or qualified by the
> HTTP specs, but X- headers in HTTP seem to be used in the same way as
> in SMTP - they are passed on but are information only / only processed
> by end-points.
>
> What is the problem you are trying to solve?
>
> C.

I was looking at ways in which you could insert certain HTTP headers
into requests generated by certain browsers, and whether the insertion
of any of these headers would lead to security problems that should be
fixed.  For example if you could control the "Host:" header in an HTTP
request, this would enable you to send a request that would appear to
load site A from a given IP address (and the URL for site A would
appear in the address bar), but would actually display site B, if you
fooled the browser into sending a Host: header which specified site B.

But to do a thorough investigation would require a list of not just
all HTTP headers that are specified in RFCs but all the ones that are
commonly understood by proxy servers and HTTP servers.  I don't know
if such a list exists though.

-Bennett

[ Post a follow-up to this message ]