what characters are allowed in HTTP header values?

by

RFC 2616 is obsolete, the relevant part has been replaced by RFC 7230.

The NUL octet is no longer allowed in comment and quoted-string text,
and handling of backslash-escaping in them has been clarified. The
quoted-pair rule no longer allows escaping control characters other
than HTAB. Non-US-ASCII content in header fields and the reason phrase
has been obsoleted and made opaque (the TEXT rule was removed).
(Section 3.2.6)

In essence, RFC 2616 defaulted to ISO-8859-1, and this was both insufficient and not interoperable anyway. Thus, RFC 7230 has deprecated non-ASCII octets in field values. The recommendation is to use an escaping mechanism on top of that (such as defined in RFC 8187, or plain URI-percent-encoding).

More Related Contents:

  1. application/x-www-form-urlencoded or multipart/form-data?
  2. Are HTTP headers case-sensitive?
  3. Do I need Content-Type: application/octet-stream for file download?
  4. Maximum on HTTP header values?
  5. Custom HTTP headers : naming conventions
  6. What’s the difference between Cache-Control: max-age=0 and no-cache?
  7. Difference between Pragma and Cache-Control headers?
  8. Is there a practical HTTP Header length limit?
  9. Detecting the character encoding of an HTTP POST request
  10. HTTP Range header
  11. How can I get the clients IP address from HTTP headers?
  12. Content-Length header with HEAD requests?
  13. Why is Cache-Control attribute sent in request header (client to server)?
  14. How to forward headers on HTTP redirect
  15. Difference between Content-Range and Range headers?
  16. How does “304 Not Modified” work exactly?
  17. What is q=0.5 in Accept* HTTP headers?
  18. How big can a user agent string get?
  19. What is Cache-Control: private?
  20. Standard for adding multiple values of a single HTTP Header to a request or response
  21. How can I find out whether a server supports the Range header?
  22. Setting HTTP headers
  23. Does the HTTP Protocol support multiple content types in response headers?
  24. What is the http-header “X-XSS-Protection”?
  25. What is HTTP “Host” header?
  26. How to evaluate http response codes from bash/shell script?
  27. Is the Content-Length header required for a HTTP/1.0 response?
  28. Is REST DELETE really idempotent?
  29. Avoid caching of the http responses
  30. S3: How to do a partial read / seek without downloading the complete file?

Leave a Comment