Why we need to deprecate x prefix for HTTP headers?
In June, 2012, Internet Engineering Task Force released a new RFC(RFC-6648), recommending deprecation of
X- prefix. As LinkedIn also use this type of prefix, I was interested to read this RFC, and explain to you why we need to deprecate it.
X- prefix background
HTTP header is used to transmit additional information between client and server.
Some standard HTTP header:
Authorization: Often used to transmit OAuth access token or other authorization information. e.g.
Authorization: Bearer ABCDEFG
Content-Type: Often used to represent media type in request body. e.g.
User-Agent: Browser identifier. e.g.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
If people want to have custom header,
X- prefix is suggested to avoid conflict. This recommendation is raised in 1982 for Email standard(RFC-822)，working fine for decades。
Usage of X- prefix
Among all non-standard HTTP headers, some become very popular:
X-Forwarded-For: Mark origin IP of client connecting to server through proxy
X-Forwarded-Host: Mark origin host of client connecting to server through proxy
X-Forwarded-Proto: Mark protocol of client connecting to server through proxy
X-Powered-By: Mark framework, technology, environment, etc.
X- prefix issues
X- prefix become more and more popular, it’s tough to handle it when we need to standardize them. In theory, we should remove the
X- prefix after standardize it, but it will apparently affect existing applications. To avoid backward-compatibility issues, we have to keep it. In summary, the
X- prefix can’t identify between standard and non-standard headers anymore.
- No longer recommend
X-for new custom headers, and no longer use
X-prefix to distinguish standard and non-standard headers
- If it’s possible for new custom header to be standardized, use a non-used and meaningful header name
- If it’s not possible for new custom header to be standardized, include organization name (e.g. reverse domain name
- No recommendation to keep/drop for existing custom HTTP headers
X-prefix can’t be used to assume safety of headers