Reputation: 17782
Is it appropriate or necessary to use percent-encoding with HTTP Headers?
When I'm building RESTful client and servers, is it appropriate or necessary to use percent-encoding with HTTP Headers (request or response), or does this type of encoding just apply to URIs?
Upvotes: 14
Views: 12386
Answers (2)
Reputation: 3080
Basically No, but see below.
RFC2616 describes percent-encoding only for URIs (search for % or HEX HEX or percent) and it defines the field-value without mentioning percent-encoding.
However, RFC2616 allows arbitraty octets (except CTLs) in the header field value, and has a half-baked statement mentioning MIME encoding (RFC2047) for characters not in ISO-8859-1 (see definition of TEXT in its Section 2.2). I called that statement "half-baked" because it does not exlictly state that ISO-8859-1 is the mandatory character set to be used for interpreting the octets, but despite of that, it normatively requires the use of MIME encoding for characters outside of that character set. It seems that both the use of ISO-8859-1 and the MIME encoding of header field values are not widely supported.
HTTPbis seems to have given up on this, and goes back to US-ASCII for header field values. See this answer for details.
My reading of this is:
For standard header fields (those defined in RFC2616), percent-encoding is not permitted.
For extension header fields, percent-encoding is not described in RFC2616, but there is room for applying all kinds of encodings, including percent-encoding, as long as the resulting characters are US-ASCII (if you want to be future-proof). Just don't think you have to use percent-encoding.
Some more sources I found:
- https://www.quora.com/Do-HTTP-headers-need-to-be-encoded confirms my understanding, although it is not specific about standard headers vs extension headers and does not quote a source.
- https://support.ca.com/us/knowledge-base-articles.TEC1904612.html argues that the percent-encoding of extension headers in their product is a measure of protection against CSS attacks.
Upvotes: 15
Reputation: 351
TL;DR: Octet percent-encoding and base64 encoding are fine.
Indicating Character Encoding and Language for HTTP Header Field Parameters https://www.rfc-editor.org/rfc/rfc8187
This document specifies an encoding suitable for use in HTTP header fields...
Read the "3.2.3. Examples"
base64 encoding is fine too, as read the HTTP Basic Authorziation spec: https://www.rfc-editor.org/rfc/rfc7617
Upvotes: 0
Related Questions
- Headers for REST API with optional Base64 encoding
- Use of Accept-charset HTTP header
- What character encoding should I use for a HTTP header?
- HTTP Header using non-english character
- What encoding to use when interpreting HTTP/1.1 header field value
- When, if ever, should characters like { and } (curly braces) be percent-encoded in URLs?
- Do I have to encode http header into JSON?
- proper usages of url encoding
- Is it safe to assume decoded percent-encoded URIs turn into UTF-8?
- Do HTTP request headers have to be UTF-8 encoded?