what is the http accept header, security, privacy

What is HTTP accept header ?

In every HTTP request you send some headers to inform server and make communication right way.  HTTP accept header tell the server about the MIME-types of data that your browser can handle. Isn’t it enough for you to understand what is http accept header ? Let’s make it clear.

Firstly, let’s look at all HTTP header send by browser to server.

accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
cookie: __cfduid=d46a98d1a7eaed9488f48776a137c49de1534755218; _ga=GA1.2.942397134.1534948665; _gid=GA1.2.1682902690.1537638671
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

(If you want to learn about other HTTP header please search in blog.)

text/html is a MIME type value that browser can render. As you can imagine, this type tells server browser can handle html source.

Other types like, application/xhtml, application/xml and so on has same meaning. Here is the all MIME type list.  Read it if you can.

There is a value named “q” in HTTP accept header. For example this: application/xml;q=0.9. If you see something like that (a MIME type, semicolon,  q= and some value between 0-1), it means quality values. Q-values, q-factors of quality values all are the same. It is a value describe priority of the values. If there is none, the default value is 1.

General syntax is this:


In MIME types also wildcard can be used. Like */* which means all things that server will send, browser can render.

Lets make an example:

Accept: application/*; q=0.2, application/pdf

It should be interpreted as “As a browser i prefer PDF file type with default q-factors value 1. But you can send me any application type after an 80% down in quality”.


Is it important for security ?

No it is not. There is no any vulnerability for clients about accept header. But with other HTTP header your privacy may be compromised.

So we tried to tell you what is http accept header and is it import for security. We hope it helped.

Don forget the make a comment.

Comments on the post