What is the X-REQUEST-ID http header?

Question

I have already googled a lot this subject, read various articles about this header, its use in Heroku, and projects based on Django.

However, it's still all confused in my head.

• What is the purpose of this header?
• Does it violate user privacy?
• Can it help tracking a user?

Answer 1

Explanation using a story/analogy

You can think of X-Request-ID like some type of ID card so you can be uniquely identified. Well what does that mean?

I have a silly DMV story (to help me remember):

1. You get a "ticket" (with an ID number) from a dispenser, and then you
2. Stand in line, for 16 hours,
3. after 16 hours - I meet the customer care rep and she tells me there is a problem: the 12 signatures I signed were not matching perfectly.
4. The petty tyrant tells me to go to the back of the line and by that time it was too late - the DMV were closing for the day and I had to come in again the next day. i.e. my request timed out. (DMV folks don't work a micro-second past 3:59:00:00).

An entire day wasted - you complain to the DMV customer care - and they reply:

"When I look through the DMV records, how am I meant to identify you - when you came etc.?

That's where the X-Request-ID comes in. Just show him the number and they can track your request.....

Application of story to HTTP

The same applies to http requests - it's an id used to help back end devs find out what went wrong. Clients submit requests with that id - and it's a ID that they create (i.e. some random number etc.). Now servers can keep track of it.

Story given to help you remember.

Hopefully you're not confused even further - post a comment if I have and i'll try to clear it up. thx.

Answer 2

Purpose: Idempotency

With an ID that changes for every request, but stays the same in case of a retry of a request, the receiver can ensure the request won't get processed more than once.

This is a quote from some API provider:

All POST, PUT, and PATCH HTTP requests should contain a unique X-Request-Id header which is used to ensure idempotent message processing in case of a retry

If you make it a random string, unique per request, it won't infringe on your privacy, nor enable tracking.

If you want to know more of what idempotency has to offer, read this insightful article.

N.B. As Stefan Kögl comments, this header is not standardized - hence the (deprecated) "X-" prefix.

Answer 3

This request header can be used for syncrhonization. Let's say you've built a ToDo list that offers offline capability. Your user creates 3 items and each of them are given a unique UUID on the offline application. When network connectivity is available, the records are POSTed to the server and the corresponding IDs auto-generated from the database are returned. You can then replace the IDs in your app (e.g. "id" attribute of HTML "li" element).

Answer 4

When you're operating a webservice that is accessed by clients, it might be difficult to correlate requests (that a client can see) with server logs (that the server can see).

The idea of the X-Request-ID is that a client can create some random ID and pass it to the server. The server then include that ID in every log statement that it creates. If a client receives an error it can include the ID in a bug report, allowing the server operator to look up the corresponding log statements (without having to rely on timestamps, IPs, etc).

As this ID is generated (randomly) by the client it does not contain any sensitive information, and should thus not violate the user's privacy. As a unique ID is created per request it does also not help with tracking users.