spring cloud 微服务之间添加自定义的header头
 
spring cloud 微服务之间添加自定义的header头
创建注册中心
创建生产者
创建消费者
验证结果
 

 
spring cloud 微服务之间添加自定义的header头
 
在我们的微服务开发过程中，有时候我们在调用其他微服务的时候，我们希望把一些参数放在header中，而不是作为参数往下传，这样的场景我们该如何解决呢？
 
创建注册中心
 
首先我们使用IDEA创建一个空的项目，项目的名称为cloud-header-demo，接着在该项目底下创建我们的注册中心的module。
 
 接着我们引入我们的eureka的依赖，pom.xml的代码如下：
 
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.cloud.header</groupId>
    <artifactId>eureka-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>eureka-demo</name>
    <description>注册中心例子</description>

    <properties>
        <java.version>1.8</java.version>
        <spring-cloud.version>Greenwich.SR2</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

 
接着我们修改我们的配置文件application.yml修改完成以后代码如下：
 
spring:
  application:
    # 工程名字
    name: eureka-demo

server:
  port: 2100

eureka:
  client:
    #缓存清单的更新时间,默认是30秒
    registry-fetch-interval-seconds: 30
    service-url:
      # 注册中心的地址
      defaultZone: http://127.0.0.1:2100/eureka/
  server:
    # 默认情况下，如果Eureka Server在一定时间内没有接收到某个微服务实例的心跳，Eureka Server将会注销该实例（默认90秒）。
    # 但是当网络分区故障发生时，微服务与Eureka Server之间无法正常通信，
    # 以上行为可能变得非常危险了——因为微服务本身其实是健康的，此时本不应该注销这个微服务。
    # Eureka通过“自我保护模式”来解决这个问题——当Eureka Server节点在短时间内丢失过多客户端时（可能发生了网络分区故障），
    # 那么这个节点就会进入自我保护模式。一旦进入该模式，Eureka Server就会保护服务注册表中的信息，不再删除服务注册表中的数据（也就是不会注销任何微服务）。
    # 当网络故障恢复后，该Eureka Server节点会自动退出自我保护模式。
    enable-self-preservation: true
    #节点间的读数据连接超时时间单位毫秒
    peer-node-read-timeout-ms: 1000

 
最后在我们的启动类上添加以下的注解
 
@SpringBootApplication
@EnableEurekaServer
public class EurekaDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(EurekaDemoApplication.class, args);
    }

}
 
创建生产者
 
接着我们在cloud-header-demo底下创建我们的produce-demo的生产者项目。
 
 接着我们引入我们的eureka的依赖，pom.xml的代码如下：
 
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.cloud.header</groupId>
    <artifactId>produce-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>produce-demo</name>
    <description>生产者的demo例子</description>

    <properties>
        <java.version>1.8</java.version>
        <spring-cloud.version>Greenwich.SR2</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

 
接着我们修改我们的配置文件application.yml修改完成以后代码如下：
 
server:
  port: 11100


spring:
  servlet:
    multipart:
      max-file-size: 100MB
      max-request-size: 500MB
  application:
    name: produce-demo


eureka:
  client:
    service-url:
      defaultZone: http://127.0.0.1:2100/eureka/
  instance:
    instance-id: ${spring.cloud.client.ip-address}:${server.port}

 
最后我们编写一个最简单的controller方法来获取我们消费者传送过来的自定义的header
 
@RestController
public class HeaderController {

    @GetMapping("getConsumerHeader")
    public String getConsumerHeader(){
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
        String consumerHeader = request.getHeader("consumerHeader");
        if(consumerHeader!=null && !"".equals(consumerHeader)){
            System.out.println("----" + URLDecoder.decode(consumerHeader,"GBK"));
        }else{
            System.out.println("----" +  consumerHeader);
        }
        return "success";
    }

}
 
接着我们启动我们的注册中心和生产者，我们使用访问：http://127.0.0.1:11100/getConsumerHeader 这时候我们会看到我们的请求头里面并没有我们自定义的头部信息：
 
 
创建消费者
 
此处就是我们本章的核心部分了，我们该如何实现在调用其他生产者的时候把我们自定义的header传给下一个生产者呢，首先在cloud-header-demo底下创建我们的consumer-demo的消费者项目。
 
 接着我们引入我们的eureka和feign的依赖，pom.xml的代码如下：
 
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.cloud.header</groupId>
    <artifactId>consumer-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>consumer-demo</name>
    <description>这是一个消费者的例子</description>

    <properties>
        <java.version>1.8</java.version>
        <spring-cloud.version>Greenwich.SR2</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>
 
接着我们修改我们的配置文件application.yml修改完成以后代码如下：
 
server:
  port: 12100


spring:
  servlet:
    multipart:
      # 单个文件上传的最大值
      max-file-size: 100MB
      # 多个文件上传的总的最大值
      max-request-size: 500MB
  cloud:
    loadbalancer:
      retry:
        # 该参数用来开启重试机制，它默认是关闭的。
        enabled: true
  application:
    name: user-demo


eureka:
  client:
    service-url:
      # 注册中心地址
      defaultZone: http://127.0.0.1:2100/eureka/
  instance:
    # 配置在eureka上status栏显示的信息
    instance-id: ${spring.cloud.client.ip-address}:${server.port}

feign:
  hystrix:
    # 关闭hystrix默认就是关闭，若是设置为true的话一定要记得配置超时的时间，要不到时候可能会导致超时失败，因此最好将此处的熔断机制给去除
    enabled: false
  compression:
    # 开启GZIP的压缩功能以减少HTTP通信的消耗。
    request:
      enabled: true
      # 以下的请求的类型且请求数据的大小超过2048的将为会压缩传输。
      min-request-size: 2048
      mime-types: text/xml,application/xml,application/json
    response:
      enabled: true

ribbon:
  # #请求连接的超时时间。
  ConnectTimeout: 6000
  # 请求处理的超时时间，该超时时间的影响层级大于全局的超时时间,设置了该时间那么，如果调用生产端的时候超过1秒那么就直接调用重试规则，因此若重试次数和切换次数都是为1那么，响应的时间不超过4秒
  ReadTimeout: 60000
  # 对所有操作请求都进行重试。
  OkToRetryOnAllOperations: true
  # 以下重试实现响应EUREKA-PRODUCER的最大次数是 ：（1 + MaxAutoRetries）* （1 + MaxAutoRetriesNextServer）
  # 假设 MaxAutoRetries = 2 ，MaxAutoRetriesNextServer = 4 ，那么最大的重试次数为15次
  # 切换实例的重试次数。
  MaxAutoRetriesNextServer: 1
  # 对当前实例的重试次数。
  MaxAutoRetries: 1
 
接着在我们的启动类上添加以下的注解
 
@SpringBootApplication
@EnableFeignClients
@EnableDiscoveryClient
public class ConsumerDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(ConsumerDemoApplication.class, args);
    }

}
 
最后我们开始编写我们的相关的实现，首先我们创建一个config包，在该包底下创建一个FeignConfiguration的配置代码如下：
 
package com.cloud.header.consumer.demo.config;

import feign.Logger;
import feign.RequestInterceptor;
import feign.RequestTemplate;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpServletRequest;
import java.util.Enumeration;

/**
 * 类描述：feign在调用生产者的时候回把header传过去,若不配置则不传送request头
 * @author linzf
 */
@Configuration
public class FeignConfiguration {

    @Bean
    Logger.Level feignLoggerLevel() {
        // • NONE: 不记录任何信息。
        // • BASIC: 仅记录请求方法、URL以及响应状态码和执行时间。
        // • HEADERS: 除了记录BASIC级别的信息之外， 还会记录请求和响应的头信息。
        // • FULL: 记录所有请求与响应的明细， 包括头信息、 请求体、 元数据等。
        return Logger.Level.FULL;
    }

    @Bean
    public RequestInterceptor requestInterceptor() {
        return new RequestInterceptor() {
            @Override
            public void apply(RequestTemplate template) {
                ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder
                        .getRequestAttributes();
                HttpServletRequest request = attributes.getRequest();
                Enumeration<String> headerNames = request.getHeaderNames();
                if (headerNames != null) {
                    while (headerNames.hasMoreElements()) {
                        String name = headerNames.nextElement();
                        String values = request.getHeader(name);
                        template.header(name, values);
                    }
                }
            }
        };
    }
}
 
接着创建一个feign包，在底下创建我们的feign的调用HeaderFeign，代码如下：
 
package com.cloud.header.consumer.demo.feign;

import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping;

/**
 * @author linzf
 * @since 2019/7/23
 * 类描述：
 */
@FeignClient(value="PRODUCE-DEMO")
public interface HeaderFeign {

    /**
     * 功能描述：实现调用生产者的方法
     * @return 返回调用结果
     */
    @GetMapping("getConsumerHeader")
    String getConsumerHeader();

}

 
接着创建一个controller包，在底下创建HeaderController，代码实现如下：
 
package com.cloud.header.consumer.demo.controller;

import com.cloud.header.consumer.demo.feign.HeaderFeign;
import org.apache.tomcat.util.http.MimeHeaders;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpServletRequest;
import java.lang.reflect.Field;

/**
 * @author linzf
 * @since 2019/7/23
 * 类描述：
 */
@RestController
public class HeaderController {

    @Autowired
    private HeaderFeign headerFeign;

    @GetMapping("getConsumerHeader")
    public String getConsumerHeader(){
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
        // 中文在请求头中会变为乱码，因此要进行转化
        reflectSetHeader(request,"consumerHeader", URLEncoder.encode("我是从消费者传过来的请求头", "GBK"));
        return headerFeign.getConsumerHeader();
    }

    /**
     * 功能描述：实现往请求里加入我们的header
     * @param request request对象
     * @param key header的key
     * @param value header的值
     */
    private void reflectSetHeader(HttpServletRequest request, String key, String value){
        Class<? extends HttpServletRequest> requestClass = request.getClass();
        try {
            Field request1 = requestClass.getDeclaredField("request");
            request1.setAccessible(true);
            Object o = request1.get(request);
            Field coyoteRequest = o.getClass().getDeclaredField("coyoteRequest");
            coyoteRequest.setAccessible(true);
            Object o1 = coyoteRequest.get(o);
            Field headers = o1.getClass().getDeclaredField("headers");
            headers.setAccessible(true);
            MimeHeaders o2 = (MimeHeaders)headers.get(o1);
            o2.removeHeader(key);
            o2.addValue(key).setString(value);
        } catch (Exception e) {

        }
    }
}
 
验证结果
 
最后我们将我们的注册中心，消费者和生产者全部启动起来，然后我们在浏览器访问以下的网址：http://127.0.0.1:12100/getConsumerHeader
 
 这时候我们的生产者就获取了消费者传过来的请求头的信息了，到此为止我们就完成了我们的微服务之间自定义请求头的传送了，到此为止的代码，大家可以直接去github上下载运行，github上的地址：https://github.com/lazyboyl/cloud-header-demo

这问题简直像恶魔一样特喵的~喵喵喵?
 
 
参考资料：
 
跨域踩坑经验总结（内涵：跨域知识科普） - 凝雨 - Yun
使用Vue的axios vue-resource跨域不成功 但原生xhr就可以 - SegmentFault 思否
 
前后端分离项目
 
假设现在前端地址为：b.example.com；接口地址为 api.example.com，且 Nginx 对应配置已搞妥。
 
编辑 api.example.com 地址的配置文件：
 
server {
    # 上方是该 Server 相关的端口、root 路径、index 一类设置
    # 这儿设置默认请求允许跨域（建议发布环境指定域名而不是“星”号，如 http://b.example.com）
    add_header Access-Control-Allow-Origin '*';

    location / {
        # 强制 HTTPS 跳转，不需要直接移除
        #if ($scheme = http) {
        #    return 301 https://$host$request_uri;
        #}

        # 根据 SF 里面大佬的解释，如果请求不是 GET 或者特定 POST（指定 Content-Type）时，
        # 浏览器会以 OPTIONS 方式发送一个预请求，
        # 所以在预请求的响应阶段，我们得允许跨域的相关操作
        if ($request_method = 'OPTIONS') {
            # 【必须】，同上说明，建议在发布环境用域名而不是“星”号
            add_header Access-Control-Allow-Origin '*';
            # Allow-Headers 指定允许的自定义请求头，如用户 Token
            add_header Access-Control-Allow-Headers 'App-Token';
            # 经过我的实验这个可以不加（有需要另说）
            # 一般来说在 POST 请求时因为 Content-Type 的原因在本次 OPTIONS 预请求后，
            # 会再发送的 POST 请求，而 POST 请求是可以正常接收的
            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, PATCH, OPTIONS';
            # 请求是否携带 Cookie，无需要可忽略。有说该设置为 true 时 Allow-Origin 不可为 '*'
            add_header Access-Control-Allow-Credentials true;
            # 这个响应 Content-Type 也是根据需要设置（一般情况可以不用设置）
            add_header Content-Type 'application/json; charset=utf-8';
            # 如下 Content-Length 可忽略，返回状态码根据个人习惯可设置为 200
            add_header Content-Length 0;
            return 204;
        }

        # 因使用 Laravel/Lumen 框架，所以有这句，请删掉不用在意...
        try_files $uri $uri/ /index.php?$query_string;
    }

    # 下方为其它配置...
}
	

 
 
在java web开发中，我们有时候会遇到需要修改request中请求值的问题，虽然这个不是特别常见。初看这是一个简单的问题，因为我们能通过HttpServletRequest对象拿到我们需要的所有关于当前这个请求的所有信息，想当然的也就可以修改所以这些信息。可实际情况是HttpServletReques中很多的属性只有getter方法，而没有setter方法，也就是说我们不可以修改他们。
 记得第一次遇到这种问题还是初学编程的时候，最近又遇到这个问题，就记录一下。最近遇到的是在spring mvc中，使用@RequestBody注解把requestBody中的json映射到java的object。我们知道对于spring mvc来说，这样使用的时候需要在请求的header里面表明conten-type为application/json。如果完全是自己开发的系统，没有问题加上就是，但是当和第三方合作的时候，请求的发起方式就不是我们能控制住的了。现在的问题是如果使用spring mvc的这种开发模式，必须要在请求的header中设置content-type为application/json，但是第三方又不方便设置。所以只能在所有针对第三方的API中进行特殊处理。
 sping mvc是基于servlet的，我们只要在请求进入servlet之前的拦截器设置header中content-type为application/json就ok了.
 
 
   /**
 * 统一token校验
 * @author luca
 */
public class GlobalInterceptorHandler extends HandlerInterceptorAdapter {
    private final Logger logger = LoggerFactory.getLogger(GlobalInterceptorHandler.class);

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        //如果是options请求直接放过
        if(request.getMethod().matches(HttpMethod.OPTIONS.name())){
            return true;
        }
        if(!(handler instanceof HandlerMethod)) {
            return true;
        }
        logger.info("request请求地址path[{}] uri[{}]", request.getServletPath(),request.getRequestURI());
        Map<String,String> headerses = new HashMap<>();
        headerses.put("content-type","application/json");
        modifyHeaders(request,headerses);
        return true;
    }

    /**
     * 修改请求头信息
     * @param headerses
     * @param request
     */
    private void modifyHeaders(HttpServletRequest request,Map<String, String> headerses) {
        if (headerses == null || headerses.isEmpty()) {
            return;
        }
        try {
            HttpServletRequestImpl httpRequest = (HttpServletRequestImpl) request;
            HttpServerExchange exchange = httpRequest.getExchange();
            HeaderMap headerMap = exchange.getRequestHeaders();
            for (Map.Entry<String, String> entry : headerses.entrySet()) {
                headerMap.add(new HttpString(entry.getKey()), entry.getValue());
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
                           ModelAndView modelAndView) throws Exception {
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
            throws Exception {}
}

参考
 
List of HTTP header fields
 
翻译
 
标准要求字段
 
字段名
说明
例子
状态
A-IM
可接受实例操作的请求
A-IM: feed
永久的
Accept
对于响应来说是(/是)可接受的媒体类型。看到内容协商。
Accept: text/html
永久的
Accept-Charset
可接受的字符集。
Accept-Charset: utf-8
永久的
Accept-Datetime
可接受的版本。
Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT
临时的
Accept-Encoding
可接受的编码列表。看到HTTP压缩。
Accept-Encoding: gzip, deflate
永久的
Accept-Language
可接受的人类语言列表。看到内容协商。
Accept-Language: en-US
永久的
Access-Control-Request-Method 
Access-Control-Request-Headers[8]
启动与Origin共享跨源资源的请求(如下所示)。
Access-Control-Request-Method: GET
永久的
Authorization
HTTP身份验证的身份验证凭据。
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
永久的
Cache-Control
用于指定沿着请求-响应链的所有缓存机制必须遵守的指令。
Cache-Control: no-cache
永久的
Connection
当前连接的控制选项和逐跳请求字段的列表。
Connection: keep-alive 
Connection: Upgrade
永久的
Content-Length
请求体的长度(8位字节)。
Content-Length: 348
永久的
Content-MD5
请求体内容的一种base64编码的二进制MD5的和。
Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
废弃的
Content-Type
请求主体的媒体类型(与POST和PUT请求一起使用)。
Content-Type: application/x-www-form-urlencoded
永久的
Cookie
先前服务器通过Set-Cookie发送的HTTP cookie(如下所示)。
Cookie: $Version=1; Skin=new;
永久的
Date
消息发出的日期和时间(以RFC 7231日期/时间格式定义的“HTTP-date”格式)。
Date: Tue, 15 Nov 1994 08:12:31 GMT
永久的
Expect
指示客户端需要特定的服务器行为。
Expect: 100-continue
永久的
Forwarded
通过HTTP代理.公开连接到web服务器的客户机的原始信息
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17
永久的
From
发出请求的用户的电子邮件地址。
From: user@example.com
永久的
Host
主机
Host: en.wikipedia.org:8080 
 Host: en.wikipedia.org
永久的
If-Match
只有当客户机提供的实体与服务器上的相同实体匹配时，才执行该操作。这主要是针对像PUT to这样的方法，如果资源在用户上次更新后没有被修改，则只更新它。
If-Match: “737060cd8c284d8af7ad3082f209582d”
永久的
If-Modified-Since
如果内容不变，则允许返回未修改的304。
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
永久的
If-None-Match
如果内容不变，允许返回不修改的304，请参阅HTTP ETag。
If-None-Match: “737060cd8c284d8af7ad3082f209582d”
永久的
If-Range
如果实体不变，请将我遗漏的部分发送给我;否则，将整个新实体发送给我。
If-Range: “737060cd8c284d8af7ad3082f209582d”
永久的
If-Unmodified-Since
Only send the response if the entity has not been modified since a specific time.
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
永久的
Max-Forwards
Limit the number of times the message can be forwarded through proxies or gateways.
Max-Forwards: 10
永久的
Origin[8]
Initiates a request for cross-origin resource sharing (asks server for Access-Control-* response fields).
Origin: http://www.example-social-network.com
永久的
Pragma
Implementation-specific fields that may have various effects anywhere along the request-response chain.
Pragma: no-cache
永久的
Proxy-Authorization
Authorization credentials for connecting to a proxy.
Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
永久的
Range
Request only part of an entity. Bytes are numbered from 0. See Byte serving.
Range: bytes=500-999
永久的
Referer [sic]
This is the address of the previous web page from which a link to the currently requested page was followed. (The word “referrer” has been misspelled in the RFC as well as in most implementations to the point that it has become standard usage and is considered correct terminology)
Referer: http://en.wikipedia.org/wiki/Main_Page
永久的
TE
The transfer encodings the user agent is willing to accept: the same values as for the response header field Transfer-Encoding can be used, plus the “trailers” value (related to the “chunked” transfer method) to notify the server it expects to receive additional fields in the trailer after the last, zero-sized, chunk.Only trailers is supported in HTTP/2.
TE: trailers, deflate
永久的
Upgrade
Ask the server to upgrade to another protocol. Must not be used in HTTP/2.
Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket
永久的
User-Agent
The user agent string of the user agent.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
永久的
Via
Informs the server of proxies through which the request was sent.
Via: 1.0 fred, 1.1 example.com (Apache/1.1)
永久的
Warning
A general warning about possible problems with the entity body.
Warning: 199 Miscellaneous warning
永久的
 
常见的非标准要求字段
 
Field name
Description
Example
Upgrade-Insecure-Requests
Tells a server which (presumably in the middle of a HTTP -> HTTPS migration) hosts mixed content that the client would prefer redirection to HTTPS and can handle Content-Security-Policy: upgrade-insecure-requests Must not be used with HTTP/2
Upgrade-Insecure-Requests: 1
X-Requested-With
Mainly used to identify Ajax requests. Most JavaScript frameworks send this field with value of XMLHttpRequest
X-Requested-With: XMLHttpRequest
DNT
Requests a web application to disable their tracking of a user. This is Mozilla’s version of the X-Do-Not-Track header field (since Firefox 4.0 Beta 11). Safari and IE9 also have support for this field. On March 7, 2011, a draft proposal was submitted to IETF.[18] The W3C Tracking Protection Working Group is producing a specification.
DNT: 1 (Do Not Track Enabled) 
DNT: 0 (Do Not Track Disabled)
X-Forwarded-For
A de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. Superseded by Forwarded header.
X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-Host
A de facto standard for identifying the original host requested by the client in the Host HTTP request header, since the host name and/or port of the reverse proxy (load balancer) may differ from the origin server handling the request. Superseded by Forwarded header.
X-Forwarded-Host: en.wikipedia.org:8080 
X-Forwarded-Host: en.wikipedia.org
X-Forwarded-Proto
A de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (or a load balancer) may communicate with a web server using HTTP even if the request to the reverse proxy is HTTPS. An alternative form of the header (X-ProxyUser-Ip) is used by Google clients talking to Google servers. Superseded by Forwarded header.
X-Forwarded-Proto: https
Front-End-Https
Non-standard header field used by Microsoft applications and load-balancers
Front-End-Https: on
X-Http-Method-Override
Requests a web application to override the method specified in the request (typically POST) with the method given in the header field (typically PUT or DELETE). This can be used when a user agent or firewall prevents PUT or DELETE methods from being sent directly (note that this is either a bug in the software component, which ought to be fixed, or an intentional configuration, in which case bypassing it may be the wrong thing to do).
X-HTTP-Method-Override: DELETE
X-ATT-DeviceId
Allows easier parsing of the MakeModel/Firmware that is usually found in the User-Agent String of AT&T Devices
X-Att-Deviceid: GT-P7320/P7320XXLPG
X-Wap-Profile
Links to an XML file on the Internet with a full description and details about the device currently connecting. In the example to the right is an XML file for an AT&T Samsung Galaxy S2.
x-wap-profile: http://wap.samsungmobile.com/uaprof/SGH-I777.xml
Proxy-Connection
Implemented as a misunderstanding of the HTTP specifications. Common because of mistakes in implementations of early HTTP versions. Has exactly the same functionality as standard Connection field.Must not be used with HTTP/2.[10]
Proxy-Connection: keep-alive
X-UIDH
Server-side deep packet insertion of a unique ID identifying customers of Verizon Wireless; also known as “perma-cookie” or “supercookie”
X-UIDH: …
X-Csrf-Token
Used to prevent cross-site request forgery. Alternative header names are: X-CSRFToken[32] and X-XSRF-TOKEN[33]
X-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql
X-Request-ID 
 X-Correlation-ID
Correlates HTTP requests between a client and server.
X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5
Save-Data
The Save-Data client hint request header available in Chrome, Opera, and Yandex browsers lets developers deliver lighter, faster applications to users who opt-in to data saving mode in their browser.
Save-Data: on
 
标准回复字段
 
Field name
Description
Example
Status
Access-Control-Allow-Origin 
 Access-Control-Allow-Credentials 
 Access-Control-Expose-Headers 
Access-Control-Max-Age 
 Access-Control-Allow-Methods 
 Access-Control-Allow-Headers
Specifying which web sites can participate in cross-origin resource sharing
Access-Control-Allow-Origin: *
Permanent: standard
Accept-Patch
Specifies which patch document formats this server supports
Accept-Patch: text/example;charset=utf-8
Permanent
Accept-Ranges
What partial content range types this server supports via byte serving
Accept-Ranges: bytes
Permanent
Age
The age the object has been in a proxy cache in seconds
Age: 12
Permanent
Allow
Valid methods for a specified resource. To be used for a 405 Method not allowed
Allow: GET, HEAD
Permanent
Alt-Svc
A server uses “Alt-Svc” header (meaning Alternative Services) to indicate that its resources can also be accessed at a different network location (host or port) or using a different protocol
When using HTTP/2, servers should instead send an ALTSVC frame. [40]
Alt-Svc: http/1.1=”http2.example.com:8001”; ma=7200
Permanent
Cache-Control
Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds
Cache-Control: max-age=3600
Permanent
Connection
Control options for the current connection and list of hop-by-hop response fields.[9]
Must not be used with HTTP/2.[10]
Connection: close
Permanent
Content-Disposition[41]
An opportunity to raise a “File Download” dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters.
Content-Disposition: attachment; filename=”fname.ext”
Permanent
Content-Encoding
The type of encoding used on the data. See HTTP compression.
Content-Encoding: gzip
Permanent
Content-Language
The natural language or languages of the intended audience for the enclosed content[42]
Content-Language: da
Permanent
Content-Length
The length of the response body in octets (8-bit bytes)
Content-Length: 348
Permanent
Content-Location
An alternate location for the returned data
Content-Location: /index.htm
Permanent
Content-MD5
A Base64-encoded binary MD5 sum of the content of the response
Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
Obsolete[11]
Content-Range
Where in a full body message this partial message belongs
Content-Range: bytes 21010-47021/47022
Permanent
Content-Type
The MIME type of this content
Content-Type: text/html; charset=utf-8
Permanent
Date
The date and time that the message was sent (in “HTTP-date” format as defined by RFC 7231) [43]
Date: Tue, 15 Nov 1994 08:12:31 GMT
Permanent
Delta-Base
Specifies the delta-encoding entity tag of the response[7].
Delta-Base: “abc”
Permanent
ETag
An identifier for a specific version of a resource, often a message digest
ETag: “737060cd8c284d8af7ad3082f209582d”
Permanent
Expires
Gives the date/time after which the response is considered stale (in “HTTP-date” format as defined by RFC 7231)
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Permanent: standard
IM
Instance-manipulations applied to the response[7].
IM: feed
Permanent
Last-Modified
The last modified date for the requested object (in “HTTP-date” format as defined by RFC 7231)
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT
Permanent
Link
Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988
Link: ; rel=”alternate”[44]
Permanent
Location
Used in redirection, or when a new resource has been created.
Example 1: Location: http://www.w3.org/pub/WWW/People.html
Example 2: Location: /pub/WWW/People.html
Permanent
P3P
This field is supposed to set P3P policy, in the form of P3P:CP=”your_compact_policy”. However, P3P did not take off,[45] most browsers have never fully implemented it, a lot of websites set this field with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies.
P3P: CP=”This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info.”
Permanent
Pragma
Implementation-specific fields that may have various effects anywhere along the request-response chain.
Pragma: no-cache
Permanent
Proxy-Authenticate
Request authentication to access the proxy.
Proxy-Authenticate: Basic
Permanent
Public-Key-Pins[46]
HTTP Public Key Pinning, announces hash of website’s authentic TLS certificate
Public-Key-Pins: max-age=2592000; pin-sha256=”E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=”;
Permanent
Retry-After
If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date.[47]
Example 1: Retry-After: 120
Example 2: Retry-After: Fri, 07 Nov 2014 23:59:59 GMT
Permanent
Server
A name for the server
Server: Apache/2.4.1 (Unix)
Permanent
Set-Cookie
An HTTP cookie
Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1
Permanent: standard
Strict-Transport-Security
A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
Strict-Transport-Security: max-age=16070400; includeSubDomains
Permanent: standard
Trailer
The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer coding.
Trailer: Max-Forwards
Permanent
Transfer-Encoding
The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity.
Must not be used with HTTP/2.[10]
Transfer-Encoding: chunked
Permanent
Tk
Tracking Status header, value suggested to be sent in response to a DNT(do-not-track), possible values: ` “!” — nder construction
“?” — dynamic
“G” — gateway to multiple parties
“N” — not tracking
“T” — tracking
“C” — tracking with consent
“P” — tracking only if consented
“D” — disregarding DNT
“U” — updated
Tk: ?
Permanent
Upgrade
Ask the client to upgrade to another protocol.
Must not be used in HTTP/2[10]
Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket
Permanent
Vary
Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.
Example 1: Vary: *
Example 2: Vary: Accept-Language
Permanent
Via
Informs the client of proxies through which the response was sent.
Via: 1.0 fred, 1.1 example.com (Apache/1.1)
Permanent
Warning
A general warning about possible problems with the entity body.
Warning: 199 Miscellaneous warning
Permanent
WWW-Authenticate
Indicates the authentication scheme that should be used to access the requested entity.
WWW-Authenticate: Basic
Permanent
X-Frame-Options[48]
Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location
X-Frame-Options: deny
Obsolete[49]
 
常见的非标准响应领域
 
Field name
Description
Example
Content-Security-Policy,
X-Content-Security-Policy,
X-WebKit-CSP[50]
Content Security Policy definition.
X-WebKit-CSP: default-src ‘self’
Refresh
Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. Header extension introduced by Netscape and supported by most web browsers.
Refresh: 5; url=http://www.w3.org/pub/WWW/People.html
Status
CGI header field specifying the status of the HTTP response. Normal HTTP responses use a separate “Status-Line” instead, defined by RFC 7230.[51]
Status: 200 OK
Timing-Allow-Origin
The Timing-Allow-Origin response header specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions.[52]
Timing-Allow-Origin: *
Timing-Allow-Origin: [, ]*
X-Content-Duration[53]
Provide the duration of the audio or video in seconds; only supported by Gecko browsers
X-Content-Duration: 42.666
X-Content-Type-Options[54]
The only defined value, “nosniff”, prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.[55]
X-Content-Type-Options: nosniff[56]
X-Powered-By[57]
Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version)
X-Powered-By: PHP/5.4.0
X-Request-ID,
X-Correlation-ID[34]
Correlates HTTP requests between a client and server.
X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5
X-UA-Compatible[58]
Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate Chrome Frame in Internet Explorer.
X-UA-Compatible: IE=EmulateIE7
X-UA-Compatible: IE=edge
X-UA-Compatible: Chrome=1
X-XSS-Protection[59]
Cross-site scripting (XSS) filter
X-XSS-Protection: 1; mode=block