1

According to this thread:

Custom HTTP headers : naming conventions

And the IETF link, using X- headers is no longer supported. However, I still see APIs that use them for responses. I've also recently done some configuration with nginx and it uses a few uses of X- headers. For example another post here:

Modifying a Location header with nginx proxy_pass

shows the use of X-Forwarded-For and a few others.

So.. via the IETF deprecation, is all use of any X- header basically being told to no longer use it? Or are their cases where it's allowed?

If they are no longer allowed, then do we return headers without the X- in it?

I ask because my REST API is returning login tokens (session tokens really) via x-auth-token: and consumers of my API would look for that header to get the token. I've seen many other APIs out there use a similar manner to provide oauth or other tokens.

I just want some sort of definitive understanding if x- is bad but we can still return custom headers without the x- (so in my case it would just be a response header named auth-token)?

Thanks.

Community
  • 1
  • 1
user3317868
  • 696
  • 2
  • 9
  • 20
  • RFC 6648 is worded as "SHOULD NOT", meaning you shouldn't do it, but it's not forbidden. – Marc B Apr 03 '14 at 19:35
  • Ok.. but in the first thread they also indicate that using X- is bad so use good names.. does that mean using custom headers is fine, just don't use X- in the name of the header? – user3317868 Apr 03 '14 at 20:32
  • 1
    it says to use good names, with the understanding that there's no guarantee a future revision of the standards won't use that name for itself. e.g. a header called "MICROSOFT_FOO_BAR_BAZ" probably won't get co-opted into the standard, but "FOO_BAR_BAZ" might, if whatever functionality it's for becomes widespread. – Marc B Apr 03 '14 at 21:59

0 Answers0