HTTP headers

Useful HTML

A response from a Web server normally consists of a status line, one or more response headers, a blank line, and the document. Setting the HTTP response headers often goes hand in hand with setting the status codes in the status line. For example, several of the "document moved" status codes in the 300's range have an accompanying Location header, and a 401 (Unauthorized) code must include an accompanying WWW-Authenticate header.

However, specifying headers can play a useful role even when no unusual status code is set. Response headers can be used to specify cookies, to supply the modification date (for caching), to instruct the browser to reload the page after a designated interval, to say how long the file is so that persistent HTTP connections can be used, and many other tasks.


Listed are some common HTTP response headers, along with an interpretation of their meaning or purpose.

Header nameMessage
Allow What request methods (GET, POST, etc.) does the server support?
Content-Encoding What method was used to encode the document? You need to decode it to get the type specified by the Content-Type header. Using gzip to compress the document can dramatically reduce download times for HTML files, but it is only supported by Netscape on Unix and IE 4 and 5 on Windows. On the other hand, gzipping HTML files can dramatically reduce download times, and Java's GZIPOutputStream makes it easy. So you should explicitly check if the browser supports this by looking at the Accept-Encoding header (i.e. via request.getHeader("Accept-Encoding")). That way, you can return gzipped pages to browser that know how to unzip them, but still return regular pages to other browsers.
Content-Length How many bytes are being sent? This information is only needed if the browser is using a persistent (keep-alive) HTTP connection. If you want your servlet to take advantage of this when the browser supports it, your servlet should write the document into a ByteArrayOutputStream, look up its size when done, put that into the Content-Length field, then send the content via byteArrayStream.writeTo(response.getOutputStream()).
Content-Type What is the MIME type of the following document? The default for servlets is text/plain, but they usually explicitly specify text/html.
Date What is current time (formatted in GMT)?
Expires At what time should content be considered out of date and thus no longer cached?
Last-Modified When was document last changed? Client can supply a date via an If-Modified-Since request header. This is treated as a conditional GET, with document only being returned if the Last-Modified date is later than the specified date. Otherwise a 304 (Not Modified) status line is returned.
Location Where should client go to get the document? This is usually set indirectly, along with a 302 status code.
Refresh How soon should browser ask for an updated page (in seconds)? Instead of just reloading current page, an alternative page can be specified by supplying an URL after a semicolon, e.g. setHeader("Refresh", "5; URL=http://host/path"). This is commonly set via <meta http-equiv="Refresh" content="5; URL=http://host/path"> in the <head> section of the HTML page, rather than as an explicit header from the server. This is because automatic reloading or forwarding is something often desired by HTML authors who do not have CGI or servlet access, but on the server, setting the header directly is easier and clearer.
Note that this header is not officially part of HTTP1.1, but is an extension supported by both Netscape and Internet Explorer.
Server What server is this? This header is usually set by the server itself, and not by servlets.
Set-Cookie Specifies a cookie associated with the page.
WWW-Authenticate What authorization type and realm should client supply in their Authorization header? This header is required in responses that have a 401 (Unauthorized) status line. E.g. response.setHeader( "WWW-Authenticate", "BASIC realm=\"employees\"" ), although password-protected web pages are usually handled by the webserver's specialized mechanisms (e.g. .htaccess).