Asked 10/3, 2011 at 11:22 Answered 11/3, 2020 at 12:24

999

In a blog post I use the following PHP to set the content-type of a response:

header('content-type: application/json; charset=utf-8');

I just got a comment on that post saying that content-type needs to be capitalized, Content-type. Is this correct? It seems to work for me with all lower-case, and I assumed the HTTP headers were case-insensitive. Or does it just work because browsers are nice?

Boar answered 10/3, 2011 at 11:22 Comment(7)

It's case insensitive, but if you're going to fix the case, it should be 'Content-Type'. – Euchologion 9/1, 2015 at 21:31

FWIW, sending "charset" with application/json is pointless. There is no such parameter. – Artair 2/12, 2015 at 9:35

@JulianReschke There are no downsides to adding the parameter. Also, there are even some applications/libraries that will flat out not work unless it includes a charset parameter. Applications that don't expect a charset parameter on the other hand will continue to work fine if you add it. – Ronironica 7/11, 2016 at 23:5

@Ronironica - the downside (aside from wasted bytes) is to continue to confuse people about the charset param. Just get those components fixed instead. – Artair 8/11, 2016 at 12:38

@JulianReschke is correct. The IANA application/json assignment says charset is meaningless for this media type. it doesn't do anything. Please don't add it, because it's noise that leads to unnecessary confusion. – Badge 3/3, 2017 at 6:37

Could charset inclusion be future-proofing? Let's assume you've got internationalised templates in your json ... charset=utf-16 / 32 ? – Erasure 6/8, 2017 at 11:57

I’d guess probably not, Tyeth. JSON is specified as being encoded in UTF-8, UTF-16 or UTF-32 only; anything else, and it’s not JSON. Those are encodings, not character sets (though "charset" is fuzzy about this distinction) — they are all encodings for the same character set, that of Unicode. The spec also mandates the algorithm for determining the correct encoding from the content alone, so the only reason one might include this is to work around bugs in software that both reads JSON and content type headers incorrectly. – Cruz 1/10, 2017 at 8:4

1288

Header names are not case sensitive.

From RFC 2616 - "Hypertext Transfer Protocol -- HTTP/1.1", Section 4.2, "Message Headers":

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

The updating RFC 7230 does not list any changes from RFC 2616 at this part.

Landside answered 10/3, 2011 at 11:24 Comment(11)

Answer is still true, RFC 7230 states: "Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace." – Lycia 11/12, 2014 at 15:34

Header fields are case sensitive when using PHP to get the value of a header field using the method 'apache_request_headers()'. – Teel 21/10, 2015 at 10:13

Can anyone provide examples of popular browsers that do not comply with the spec in this regard? – Thibault 13/11, 2015 at 17:28

@Teel That's only because string comparison in PHP is case-sensitive. – Clearsighted 22/2, 2016 at 0:0

For anyone looking, here is where RFC 7230 explicitly states that field headers should be treated as case insensitive: tools.ietf.org/html/rfc7230#section-3.2 – Anemic 9/8, 2017 at 19:12

Random fact: some systems (AWS CloudFront being one) may leverage this part of the standard when they rewrite your headers. I've had the case of header keys change on me unexpectedly - good to know for next time – Ac 19/11, 2017 at 18:3

what about header field values? – Benenson 31/1, 2018 at 17:6

@JoeCodeFrog: Header field values are application-defined; you will need to consult the documentation of the specific application in use. – Landside 31/1, 2018 at 17:8

Am I the only one who think that "case-insensitive" does not mean that case can nor should manipulated? – Cottrill 6/2, 2021 at 23:39

@MatteoSp, I think that's probably a yes. – Erotomania 17/8, 2023 at 23:22

@Ac I just had this experience – Heyerdahl 1/4 at 18:37

281

HTTP header names are case-insensitive, according to RFC 2616:

4.2:

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

(Field values may or may not be case-sensitive.)

If you trust the major browsers to abide by this, you're all set.

BTW, unlike most of HTTP, methods (verbs) are case sensitive:

5.1.1 Method

The Method token indicates the method to be performed on the
resource identified by the Request-URI. The method is case-sensitive.

   Method         = "OPTIONS"                ; Section 9.2
                  | "GET"                    ; Section 9.3
                  | "HEAD"                   ; Section 9.4
                  | "POST"                   ; Section 9.5
                  | "PUT"                    ; Section 9.6
                  | "DELETE"                 ; Section 9.7
                  | "TRACE"                  ; Section 9.8
                  | "CONNECT"                ; Section 9.9
                  | extension-method
   extension-method = token

Nalepka answered 10/3, 2011 at 11:27 Comment(2)

Another comment said this answer is obsoleted. Is that true? If so, maybe you can update it so people don't get confused. – Plains 7/3, 2016 at 20:31

using curl -X put lower cased verb will return 400 bad request cryptic error from server. It took some time before realizing that verb was invalid. curl also did not throw any warnings. curl -X PUT went thru. – Aldin 26/5, 2021 at 8:42

tldr; both HTTP/1.1 and HTTP/2 header names are case-insensitive BUT HTTP/2 enforces lowercase header names.

HTTP/1.1

According to RFC 7230, section 3.2:

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

HTTP/2.0

Quoting RFC 7540, section 8.1.2:

Just as in HTTP/1.x, header field names are strings of ASCII
characters that are compared in a case-insensitive fashion.

...but then:

However, header field names MUST be converted to lowercase prior to their encoding in HTTP/2. A request or response containing uppercase header field names MUST be treated as malformed.

Collegium answered 15/12, 2016 at 17:22 Comment(6)

just clarifying: field names are case insensitive; field values can be case-sensitive, depending on the field name. – Artair 15/12, 2016 at 19:7

Continued citation from HTTP/2 RFC: "However, header field names MUST be converted to lowercase prior to their encoding in HTTP/2. A request or response containing uppercase header field names MUST be treated as malformed (Section 8.1.2.6)" – Consort 18/9, 2017 at 8:34

I just noticed the "MUST be converted to lowercase..." part as well. Why is that? CamelCase appears to be preferred casing in practice (developer tools, popular code libraries), so why would HTTP/2 attempt to go against that trend? – Stadiometer 27/10, 2017 at 16:3

@Stadiometer - because standards are about consistency - using camel-case can be ambiguous - especially with abbreviations, initialisations and acronyms. For example - would it be "Front-End-Https" or "Front-End-HTTPS" - "WWW-Authenticate" or "Www-Authenticate" - specifying all lowercase removes ambiguity by standardising the field. This in turn simplifies handling the headers all round. – Leonorleonora 10/4, 2018 at 18:31

@Stadiometer It could be related to HPACK, the header compression algorithm used with HTTP2. It's certainly easier if it's all lowercase. Also it has a small static dictionnary : tools.ietf.org/html/rfc7541#appendix-A – Aestivation 21/8, 2020 at 9:46

Thanks @BorekBernard, I expanded the answer with your comment. – Adolphadolphe 24/2, 2023 at 14:12

header('Content-type: image/png') did not work with PHP 5.5 serving IE11, as in the image stream was shown as text

header('Content-Type: image/png') worked, as in the image appeared as an image

Only difference is the capital 'T'.

Hairpin answered 2/12, 2015 at 9:27 Comment(1)

Then there is obviously a problem with the implementation because all header fields are supposed to read as case-insensitive. Apache Bench is also messed up. It doesn't like lowercase field names. – Article 3/3, 2016 at 4:32

They are not case sensitive. In fact NodeJS web server explicitly converts them to lower-case, before making them available in the request object.

It's important to note here that all headers are represented in lower-case only, regardless of how the client actually sent them. This simplifies the task of parsing headers for whatever purpose.

Alewife answered 1/7, 2019 at 17:45 Comment(2)

That's because node/javascript is case-sensitive, so to simplify things they normalize everything to lower-case, meaning the HTTP headers in effect are case insensitive. – Boar 7/7, 2019 at 14:25

Which @Borek's comment on this answer indicates is the standard for HTTP/2: https://mcmap.net/q/53215/-are-http-headers-case-sensitive – Erotomania 17/8, 2023 at 23:27

officially, headers are case insensitive, however, it is common practice to capitalize the first letter of every word.
but, because it is common practice, certain programs like IE assume the headers are capitalized.
so while the docs say the are case insensitive, bad programmers have basically changed the docs.

Quaint answered 11/3, 2020 at 12:24 Comment(4)

@Borek's comment on this answer indicate RFCs that are trending towards MUST use lower case https://mcmap.net/q/53215/-are-http-headers-case-sensitive. – Erotomania 17/8, 2023 at 23:26

Well that rfc says one thing, but browser compatibility says another, and one of those is more important – Quaint 12/9, 2023 at 13:51

It's a war, @Quaint , between community and proprietary. If community is more important then the RFC is more important, if private profit and private control is more important, then clearly, let's ensure support for browsers that flaunt the RFCs. – Erotomania 13/9, 2023 at 1:8

I have IETester which runs IE 6 and case-insensitive headers work just fine. I tested location, last-modified and cache-control headers. They seem to work normally even when they are given fUnky-caSe. I even checked the raw HTTP output using telnet and confirmed that Apache had not changed the case to Title-Case. – Mushroom 2/11, 2023 at 21:28

The RFC for HTTP (as cited above) dictates that the headers are case-insensitive, however you will find that with certain browsers (I'm looking at you, IE) that capitalizing each of the words tends to be best:

Location: http://stackoverflow.com

Content-Type: text/plain

location: http://stackoverflow.com

content-type: text/plain

This isn't "HTTP" standard, but just another one of the browser quirks, we as developers, have to think about.

Allomorph answered 6/5, 2016 at 14:55 Comment(5)

Could you provide any evidence on that? – Artair 6/5, 2016 at 15:8

I meant a concrete test case; I do have an IE to test with. – Artair 6/5, 2016 at 21:28

Why exactly does it tend to be best? – Boar 10/5, 2016 at 15:27

I will make a browser that sends headers with random capitalization just to screw with devs – Quaint 17/3, 2020 at 9:57

Except when using HTTP/2 which now invalidates upper case in header names according to @Borek's comment on this answer: https://mcmap.net/q/53215/-are-http-headers-case-sensitive – Erotomania 17/8, 2023 at 23:28

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

HTTP/1.1

HTTP/2.0

Recommended topics

Hot tags