November 19, 2018 | Hoai Viet Nguyen

X-* HTTP Headers Overview

NameDescriptionExample
X-Requested-WithMainly used to identify Ajax requests. Most JavaScript frameworks send this field with value of XMLHttpRequestX-Requested-With: XMLHTTPRequest
X-Forwarded-ForA de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. Superseded by Forwarded header.X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-For: 129.78.138.66, 129.78.64.103
X-Forwarded-HostA de facto standard for identifying the original host requested by the client in the Host HTTP request header, since the host name and/or port of the reverse proxy (load balancer) may differ from the origin server handling the request. Superseded by Forwarded header.X-Forwarded-Host: en.wikipedia.org
X-Forwarded-ProtoA de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (or a load balancer) may communicate with a web server using HTTP even if the request to the reverse proxy is HTTPS. An alternative form of the header (X-ProxyUser-Ip) is used by Google clients talking to Google servers. Superseded by Forwarded header.X-Forwarded-Proto: https
X-Http-Method-OverrideRequests a web application to override the method specified in the request (typically POST) with the method given in the header field (typically PUT or DELETE). This can be used when a user agent or firewall prevents PUT or DELETE methods from being sent directly (note that this is either a bug in the software component, which ought to be fixed, or an intentional configuration, in which case bypassing it may be the wrong thing to do).X-HTTP-Method-Override: DELETE
X-Wap-ProfileLinks to an XML file on the Internet with a full description and details about the device currently connecting. In the example to the right is an XML file for an AT&T Samsung Galaxy S2.x-wap-profile: http://wap.samsungmobile.com/uaprof/SGH-I777.xml
X-ATT-DeviceIdAllows easier parsing of the MakeModel/Firmware that is usually found in the User-Agent String of AT&T DevicesX-Att-Deviceid: GT-P7320/P7320XXLPG
X-UIDHServer-side deep packet insertion of a unique ID identifying customers of Verizon Wireless; also known as "perma-cookie" or "supercookie"X-UIDH: …
X-Csrf-TokenUsed to prevent cross-site request forgery. Alternative header names are: X-CSRFToken and X-XSRF-TOKENX-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql
X-Request-ID, X-Correlation-IDCorrelates HTTP requests between a client and server.X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5
X-HostAlternative for Host headerX-Host: example.org
X-Original-URLoverride the request's pathX-Original-URL: /admin
X-Rewrite-URLoverride the request's pathX-Rewrite-URL: /admin
X-Do-Not-TrackUsed by clients to prevent tracking
X-UA-CompatibleUsed by Internet Explorer to signal which document mode to use.

Written by:

Hoai Viet Nguyen

Research Assistant

viet.nguyen@th-koeln.de