In the absense of cache control directives that specify otherwise, a 301 redirect defaults to being cached without any expiry date. That is, it will remain cached for as long as the browser’s cache can accommodate it. It will be removed from the cache if you manually clear the cache, or if the cache entries … Read more
Note that RFC 6266 supersedes the RFCs referenced below. Section 7 outlines some of the related security concerns. The authority on the content-disposition header is RFC 1806 and RFC 2183. People have also devised content-disposition hacking. It is important to note that the content-disposition header is not part of the HTTP 1.1 standard. The HTTP … Read more
I had this same question, and found some info in my searches (your question came up as one of the results). Here’s what I determined… There are two sides to the Cache-Control header. One side is where it can be sent by the web server (aka. “origin server”). The other side is where it can … Read more
It is up to the browser but they behave in similar ways. F5 usually updates the page only if it is modified. Modern browsers sends Cache-Control: max-age=0 to tell any cache the maximum amount of time a resource is considered fresh, relative to the time of the request. CTRL–F5 is used to force an update, … Read more
The recommendation is was to start their name with “X-“. E.g. X-Forwarded-For, X-Requested-With. This is also mentioned in a.o. section 5 of RFC 2047. Update 1: On June 2011, the first IETF draft was posted to deprecate the recommendation of using the “X-” prefix for non-standard headers. The reason is that when non-standard headers prefixed … Read more
No, HTTP does not define any limit. However most web servers do limit size of headers they accept. For example in Apache default limit is 8KB, in IIS it’s 16K. Server will return 413 Entity Too Large error if headers size exceeds that limit. Related question: How big can a user agent string get?
Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape. There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field … Read more
No. The content-type should be whatever it is known to be, if you know it. application/octet-stream is defined as “arbitrary binary data” in RFC 2046, and there’s a definite overlap here of it being appropriate for entities whose sole intended purpose is to be saved to disk, and from that point on be outside of … Read more
They need to be percent-encoded: > encodeURIComponent(‘&’) “%26” So in your case, the URL would look like: http://www.mysite.com?candy_name=M%26M
Have the user click on a link to https://log:[email protected]/. That will overwrite existing credentials with invalid ones; logging them out.