What's the rationale behind the HTTP Date header?

Question

I have read RFC 2616, but still I wonder, what the Date field is for. There is the Last-Modified field, that actually has a meaning besides just serving metadata, that is, for caching ('If-Modified-Since').

But what use has it to double the info in a separate Date header?

similar question with some good answers https://stackoverflow.com/questions/4726515/what-http-response-headers-are-required — Sergey Ponomarev, Aug 31 '20 at 14:27

score 45 · Accepted Answer · edited Oct 07 '21 at 07:34

45

Per the spec, it is used in age calculations. If you don't know what time the server thinks it is, you won't be able to calculate the "age" of a resource. Here's the relevant text from the spec:

Summary of age calculation algorithm, when a cache receives a response:

age_value
is the value of Age: header received by the cache with this response.

date_value
is the value of the origin server's Date: header

request_time
is the (local) time when the cache made the request that resulted in this cached response

response_time
is the (local) time when the cache received the response

now
is the current (local) time
apparent_age = max(0, response_time - date_value);
corrected_received_age = max(apparent_age, age_value);
response_delay = response_time - request_time;
corrected_initial_age = corrected_received_age + response_delay;
resident_time = now - response_time;
current_age   = corrected_initial_age + resident_time;

edited Oct 07 '21 at 07:34

Community

1
1

answered Oct 22 '09 at 22:20

Jonathan Feinberg

44,698
7
80
103

1

Ah, OK. Then the Date is not necessarily the same as the last modification? If I understand correctly it's more "When did the server start to send the stuff?". That would make sense... – Boldewyn Oct 23 '09 at 06:57
1

@Boldewyn that's right - it's "the date and time at which the **message** was originated". – Daniel Lubarov Jan 02 '13 at 23:54
@DanielLubarov worth nothing that its not just the response that can send a Date header. Its supported for requests too, where it would be useful to establish the time on the client. Unfortunately its not generally set from what i can see – Matt Evans Feb 21 '18 at 13:06
When you say "the date and time at which the message was originated", what is that message? – Stephen Fong Oct 05 '19 at 13:47
It means when the server has sent the response to the client. – abhiarora Jan 13 '20 at 12:05
So this header only make sense if you are using Cache-Control header to determine exact time when content expires? From what I understood it's absolutely safe to omit this tag and probably nobody even notice. Even cache control don't have to be so precise. In most cases server just may have wrong timezone configured but it's time is fine. – Sergey Ponomarev Jul 09 '20 at 19:00

Sergey Ponomarev · Answer 2 · 2020-08-09T18:36:06.910

-3

The Date is needed only for a better work of Expires header:

Date: Mon, 26 Mar 2012 12:53:02 GMT
Expires: Wed, 25 Apr 2012 12:53:02 GMT

A server or a client may have an incorrect time so client (browser) tries to calculate max age of the resource freshness. That was one of the reasons why the Cache-Control tag was introduced. It uses seconds to expire instead of a fixed time.

I tested Chrome and Firefox and they are fine is response without Date header so it can be safely omitted unless you are still using obsolete Expires header. If the Date is missing it just assumed the same as client's time. It's just insane that in spec the header is mandatory: the date formatting/parsing consumes CPU and network.

edited Aug 09 '20 at 18:36

answered Aug 08 '20 at 17:08

Sergey Ponomarev

2,947
1
33
43

5

If you think that the spec is insane, you may want to discuss this in the IETF WG which currently revises the spec. – Julian Reschke Aug 09 '20 at 05:05
thank you, I sent an email to WG https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0142.html – Sergey Ponomarev Aug 31 '20 at 15:18

score -5 · Answer 3 · answered Jan 21 '20 at 10:43

Please consider not to use the Date Header as it is on the list of the "Forbidden header names".

The following description from the MDN web docs might help:

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with Sec- are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest.

Forbidden header names start with Proxy- or Sec-, or are one of the following names:

Accept-Charset
List item
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Proxy-
Sec-
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via

Um, that list refers _only_ to usage in the context of AJAX/`fetch()`/client-side JS. That’s not the scope of my question, though. The `date` header is perfectly fine to use on server side. It’s just, that the server (nginx, Apache, whatever) usually adds it automatically. — Boldewyn, Jan 21 '20 at 12:50

What's the rationale behind the HTTP Date header?

3 Answers3

Linked