A response from a Web server normally consists of a status line, one or more response headers, a blank line, and the document. Setting the HTTP response headers often goes hand in hand with setting the status codes in the status line. For example, several of the "document moved" status codes in the 300's range have an accompanying Location header, and a 401 (Unauthorized) code must include an accompanying WWW-Authenticate header.
However, specifying headers can play a useful role even when no unusual status code is set. Response headers can be used to specify cookies, to supply the modification date (for caching), to instruct the browser to reload the page after a designated interval, to say how long the file is so that persistent HTTP connections can be used, and many other tasks.
Listed are some common HTTP response headers, along with an interpretation of their meaning or purpose.
| Header name | Message |
|---|---|
| Allow | What request methods (GET, POST, etc.) does the server support? |
| Content-Encoding | What method was used to encode the document?
You need to decode it to get the type specified by the
Content-Type header. Using gzip to compress the document can dramatically
reduce download times for HTML files, but it is only supported by Netscape
on Unix and IE 4 and 5 on Windows. On the other hand, gzipping HTML files can
dramatically reduce download times, and Java's GZIPOutputStream makes it easy.
So you should explicitly check if the browser supports this by
looking at the Accept-Encoding header (i.e. via
request.getHeader("Accept-Encoding")).
That way, you can return gzipped pages to browser that know how to unzip them,
but still return regular pages to other browsers. |
| Content-Length | How many bytes are being sent?
This information is only needed if the browser is using a persistent (keep-alive)
HTTP connection. If you want your servlet to take advantage of this when the
browser supports it, your servlet should write the document into a
ByteArrayOutputStream, look up its size when done, put that into the
Content-Length field, then send the
content via byteArrayStream.writeTo(response.getOutputStream()). |
| Content-Type | What is the MIME type of the following document? The default for servlets is
text/plain, but they usually explicitly specify text/html. |
| Date | What is current time (formatted in GMT)? |
| Expires | At what time should content be considered out of date and thus no longer cached? |
| Last-Modified | When was document last changed? Client can supply a date
via an If-Modified-Since request header. This is treated as a conditional
GET, with document only being returned if the Last-Modified date is later
than the specified date. Otherwise a 304 (Not Modified) status line
is returned. |
| Location | Where should client go to get the document? This is usually
set indirectly, along with a 302 status code. |
| Refresh | How soon should browser ask for an updated page (in seconds)?
Instead of just reloading current page, an alternative page can be specified by supplying an URL after a semicolon, e.g. setHeader("Refresh", "5; URL=http://host/path"). This is commonly set
via <meta in
the <head> section of the HTML page, rather than as an explicit header from the server.
This is because automatic reloading or forwarding is something often desired by HTML
authors who do not have CGI or servlet access, but on the server, setting the header
directly is easier and clearer.Note that this header is not officially part of HTTP1.1, but is an extension supported by both Netscape and Internet Explorer. |
| Server | What server is this? This header is usually set by the server itself, and not by servlets. |
| Set-Cookie | Specifies a cookie associated with the page. |
| WWW-Authenticate | What authorization type and realm should client supply
in their Authorization header? This header is required in responses that
have a 401 (Unauthorized) status line. E.g.
response.setHeader( "WWW-Authenticate", "BASIC realm=\"employees\"" ),
although password-protected web pages are usually handled by the webserver's specialized
mechanisms (e.g. .htaccess). |