Skip to content

Commit

Permalink
chore(http): Updates to headers pages
Browse files Browse the repository at this point in the history
  • Loading branch information
bsmth committed Nov 26, 2024
1 parent 988c552 commit 3cb5848
Show file tree
Hide file tree
Showing 15 changed files with 157 additions and 103 deletions.
87 changes: 66 additions & 21 deletions files/en-us/web/http/headers/server-timing/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ browser-compat: http.headers.Server-Timing

{{HTTPSidebar}}

The **`Server-Timing`** header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.
The HTTP **`Server-Timing`** {{Glossary("response header")}} communicates one or more performance metrics about the request-response cycle to the user agent.
It is used to surface backend server timing metrics (for example, database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.

<table class="properties">
<tbody>
Expand All @@ -17,55 +18,98 @@ The **`Server-Timing`** header communicates one or more metrics and descriptions
</tr>
<tr>
<th scope="row">{{Glossary("Forbidden header name")}}</th>
<td>no</td>
<td>No</td>
</tr>
</tbody>
</table>

## Syntax

The syntax of the `Server-Timing` header allows you to communicate metrics in different ways: server metric name only, metric with value, metric with value and description, and metric with description.

This header can contain one or more metrics, separated by commas. Each metric has a name, an optional duration, and an optional description. These components are separated by semi-colons.
```http
// A single metric
Server-Timing: <timing-metric>
The duration component consists of the string `"dur"`, followed by `"="`, followed by the value, like `"dur=23.2"`.
The description component consists of the string `"desc"`, followed by `"="`, followed by the value, like `"desc=DB lookup"`.
// Multiple metrics as a comma-separated list
Server-Timing: <timing-metric>, <timing-metric>
```

The specification advises that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.
A `<timing-metric>` has a name, and may include an optional duration and an optional description.
For example:

```http
// Single metric without value
// A metric with a name only
Server-Timing: missedCache
// Single metric with value
// A metric with a duration
Server-Timing: cpu;dur=2.4
// Single metric with description and value
// A metric with a description and duration
Server-Timing: cache;desc="Cache Read";dur=23.2
// Two metrics with value
// Two metrics with duration values
Server-Timing: db;dur=53, app;dur=47.2
// Server-Timing as trailer
Trailer: Server-Timing
--- response body ---
Server-Timing: total;dur=123.4
```

## Privacy and security
## Directives

The `Server-Timing` header may expose potentially sensitive application and infrastructure information. Consider to control which metrics are returned when and to whom on the server side. For example, you could only show metrics to authenticated users and nothing to the public.
- `<timing-metric>`
- : A comma-separated list of one or more metrics with the following components separated by semi-colons:
- `<name>`
- : A name component as a token (cannot contain spaces or special characters).
- `<duration>` {{optional_inline}}
- : A duration component consisting of the string `dur`, followed by `=`, followed by a value, like `dur=23.2`.
- `<description>` {{optional_inline}}
- : A description component consisting of the string `desc`, followed by `=`, followed by a value as a token or a quoted string, like `desc=prod` or `desc="DB lookup"`.

## PerformanceServerTiming interface
The specification advises that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.

## Description

### Privacy and security

The `Server-Timing` header may expose potentially sensitive application and infrastructure information.
Consider to control which metrics are returned when and to whom on the server side.
For example, you could only show metrics to authenticated users and nothing to the public.

### PerformanceServerTiming interface

In addition to having `Server-Timing` header metrics appear in the developer tools of the browser, the {{domxref("PerformanceServerTiming")}} interface enables tools to automatically collect and process metrics from JavaScript. This interface is restricted to the same origin, but you can use the {{HTTPHeader("Timing-Allow-Origin")}} header to specify the domains that are allowed to access the server metrics. The interface is only available in secure contexts (HTTPS) in some browsers.

The components of the `Server-Timing` header map to the {{domxref("PerformanceServerTiming")}} properties like this:
The components of the `Server-Timing` header map to the {{domxref("PerformanceServerTiming")}} properties as follows:

- `"name"` -> {{domxref("PerformanceServerTiming.name")}}
- `"dur"` -> {{domxref("PerformanceServerTiming.duration")}}
- `"desc"` -> {{domxref("PerformanceServerTiming.description")}}

## Examples

### Sending a metric using the Server-Timing header

The following response includes a metric `custom-metric` with a duration of `123.45` milliseconds, and a description of "My custom metric":

```http
Server-Timing: custom-metric;dur=123.45;desc="My custom metric"
```

### Server-Timing as HTTP trailer

In the following response, the {{HTTPHeader("Trailer")}} header is used to indicate that a `Server-Timing` header will follow the response body.
A metric `custom-metric` with a duration of `123.4` milliseconds is sent.

```http
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Trailer: Server-Timing
--- response body ---
Server-Timing: custom-metric;dur=123.4
```

> [!WARNING]
> Only the browser's DevTools can use the Server-Timing header as a HTTP trailer to display information in the Network -> Timings tab.
> The Fetch API cannot access HTTP trailers.
> See [Browser compatibility](#browser_compatibility) for more information.
## Specifications

{{Specifications}}
Expand All @@ -77,3 +121,4 @@ The components of the `Server-Timing` header map to the {{domxref("PerformanceSe
## See also

- {{domxref("PerformanceServerTiming")}}
- {{HTTPHeader("Trailer")}} header
4 changes: 2 additions & 2 deletions files/en-us/web/http/headers/server/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ browser-compat: http.headers.Server

{{HTTPSidebar}}

The **`Server`** header describes the software used by the origin server that handled the request and generated a response.
The HTTP **`Server`** {{Glossary("response header")}} describes the software used by the origin server that handled the request and generated a response.

The benefits of advertising the server type and version via this header are that it helps with analytics and identifying how widespread specific interoperability issues are.
Historically, clients have used the server version information to avoid known limitations, such as inconsistent support for [range requests](/en-US/docs/Web/HTTP/Range_requests) in specific software versions.
Expand All @@ -27,7 +27,7 @@ In general, a more robust approach to server security is to ensure software is r
</tr>
<tr>
<th scope="row">{{Glossary("Forbidden header name")}}</th>
<td>no</td>
<td>No</td>
</tr>
</tbody>
</table>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ browser-compat: http.headers.Service-Worker-Navigation-Preload
The HTTP **`Service-Worker-Navigation-Preload`** {{Glossary("request header")}} indicates that the request was the result of a {{domxref("Window/fetch", "fetch()")}} operation made during service worker navigation preloading.
It allows a server to respond with a different resource than for a normal `fetch()`.

If a different response may result from setting this header, the server must set {{HTTPHeader("Vary", "Vary: Service-Worker-Navigation-Preload")}} to ensure that different responses are cached.
If a different response may result from setting this header, the server must include a {{HTTPHeader("Vary", "Vary: Service-Worker-Navigation-Preload")}} header in responses to ensure that different responses are cached.

For more information see {{domxref("NavigationPreloadManager.setHeaderValue()")}} (and {{domxref("NavigationPreloadManager")}}).

Expand Down Expand Up @@ -42,9 +42,9 @@ Service-Worker-Navigation-Preload: <value>

## Examples

### Using Service-Worker-Navigation-Preload
### Service worker navigation preloading headers

The header below is sent by default in requests:
The following request header is sent by default in navigation preload requests:

```http
Service-Worker-Navigation-Preload: true
Expand Down
8 changes: 6 additions & 2 deletions files/en-us/web/http/headers/set-cookie/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@ Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnl
- : Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link).
This is the default behavior if the `SameSite` attribute is not specified.

> [!WARNING]
> Browser implementations vary when `SameSite` is omitted.
> See [Browser compatibility](#browser_compatibility) for details.
- `None`

- : Means that the browser sends the cookie with both cross-site and same-site requests.
Expand Down Expand Up @@ -176,15 +180,15 @@ Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnl
### Session cookie
**Session cookies** are removed when the client shuts down. Cookies are session cookies if they do not specify the `Expires` or `Max-Age` attribute.
Session cookies are removed when the client shuts down. Cookies are session cookies if they do not specify the `Expires` or `Max-Age` attribute.
```http
Set-Cookie: sessionId=38afes7a8
```

### Permanent cookie

**Permanent cookies** are removed at a specific date (`Expires`) or after a specific length of time (`Max-Age`) and not when the client is closed.
Permanent cookies are removed at a specific date (`Expires`) or after a specific length of time (`Max-Age`) and not when the client is closed.

```http
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT
Expand Down
4 changes: 2 additions & 2 deletions files/en-us/web/http/headers/set-login/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ browser-compat: http.headers.Set-Login

{{HTTPSidebar}}{{SeeCompatTable}}

The HTTP **`Set-Login`** {{Glossary("response header")}} is sent by a federated identity provider (IdP) to set its login status, and indicates "whether any users are logged into the IdP on the current browser or not".
The HTTP **`Set-Login`** {{Glossary("response header")}} is sent by a federated identity provider (IdP) to set its login status, and indicates whether any users are logged into the IdP on the current browser or not.
This is stored by the browser and used by the [FedCM API](/en-US/docs/Web/API/FedCM_API) to reduce the number of requests it makes to the IdP as the browser doesn't need to request accounts when there are no users logged in to the IdP.
It also mitigates [potential timing attacks](https://github.com/w3c-fedid/FedCM/issues/447).

Expand Down Expand Up @@ -47,7 +47,7 @@ Set-Login: <status>
- `logged-out`: All IdP user accounts are currently signed out.

> [!NOTE]
> Browsers should ignore this header if it contains any other value.
> Browsers ignore this header if it contains any other value.
## Examples

Expand Down
13 changes: 11 additions & 2 deletions files/en-us/web/http/headers/sourcemap/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ browser-compat: http.headers.SourceMap

The HTTP **`SourceMap`** {{Glossary("response header")}} links generated code to a {{Glossary("source map")}}, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger.

The HTTP `SourceMap` header has precedence over a source annotation (`sourceMappingURL=path-to-map.js.map`), and if both are present, the header URL is used to resolve the source map file.

<table class="properties">
<tbody>
<tr>
Expand Down Expand Up @@ -36,14 +38,20 @@ X-SourceMap: <url> (deprecated)

## Examples

### Linking to a source map using `SourceMap`
### Linking to a source map using the `SourceMap` header

The following response contains an absolute
The following response contains an absolute path in the `SourceMap` header.

```http
HTTP/1.1 200 OK
Content-Type: application/javascript
SourceMap: /path/to/file.js.map
<optimized-javascript>
```

Developer tools use the mappings between optimized code and the original source to improve readability, which can make debugging easier.

## Specifications

{{Specifications}}
Expand All @@ -56,3 +64,4 @@ SourceMap: /path/to/file.js.map

- {{Glossary("Source map")}}
- [Firefox Developer Tools: using a source map](https://firefox-source-docs.mozilla.org/devtools-user/debugger/how_to/use_a_source_map/index.html)
- [What are source maps?](https://web.dev/articles/source-maps) on web.dev (2023)
17 changes: 8 additions & 9 deletions files/en-us/web/http/headers/strict-transport-security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,24 +56,23 @@ The `Strict-Transport-Security` header informs the browser that it should never
> Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS-capable and will honor the `Strict-Transport-Security` header.
> Browsers do this as attackers may intercept HTTP connections to the site and inject or remove the header.
### An example scenario
### Strict Transport Security example scenario

You log into a free Wi-Fi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills.
Assume you have logged into a free Wi-Fi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills.
Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's website once using HTTPS, and the bank's website uses Strict Transport Security, your
browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.
Strict Transport Security resolves this problem; as long as you've accessed your bank's website once using HTTPS, and the bank's website uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

### How the browser handles it
### How the browser handles Strict Transport Security

The first time your site is accessed using HTTPS and it returns the `Strict-Transport-Security` header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
The first time a site is accessed using HTTPS and it returns the `Strict-Transport-Security` header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the expiration time specified by the `Strict-Transport-Security` header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring.
Should it be necessary to disable Strict Transport Security, setting the `max-age` to 0 (over an https connection) will immediately expire the `Strict-Transport-Security` header, allowing access via http.
Whenever the `Strict-Transport-Security` header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring.
Should it be necessary to disable Strict Transport Security, setting the `max-age` to `0` (over an HTTPS connection) will immediately expire the `Strict-Transport-Security` header, allowing access via HTTP.

## Preloading Strict Transport Security
### Preloading Strict Transport Security

Google maintains [an HSTS preload service](https://hstspreload.org/).
By following the guidelines and successfully submitting your domain, you can ensure that browsers will connect to your domain only via secure connections.
Expand Down
33 changes: 14 additions & 19 deletions files/en-us/web/http/headers/te/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,13 @@ The HTTP **`TE`** {{Glossary("request header")}} specifies the transfer encoding

Some people informally consider "`Accept-Transfer-Encoding`" to be a more intuitive name for this header.

> [!NOTE]
> In
> [HTTP/2](https://httpwg.org/specs/rfc9113.html#ConnectionSpecific) and
> [HTTP/3](https://httpwg.org/specs/rfc9114.html#header-formatting), the `TE`
> header field is only accepted if the `trailers` value is set.
Note that `chunked` is always acceptable for HTTP/1.1 recipients and you don't have to specify `chunked` using the `TE` header.
However, it is useful if the client is accepting trailer fields in a chunked transfer coding using the `trailers` value.

See the {{HTTPHeader("Transfer-Encoding")}} response header for more details on transfer encodings.
Note that `chunked` is always acceptable for HTTP/1.1 recipients and you don't have to specify `chunked` using the `TE` header.
However, it is useful for setting if the client is accepting trailer fields in a chunked transfer coding using the `trailers` value.

> [!NOTE]
> In [HTTP/2](https://httpwg.org/specs/rfc9113.html#ConnectionSpecific) and [HTTP/3](https://httpwg.org/specs/rfc9114.html#header-formatting), the `TE` header field is only accepted if the `trailers` value is set.
<table class="properties">
<tbody>
Expand All @@ -41,29 +39,26 @@ TE: compress
TE: deflate
TE: gzip
TE: trailers
```

// Multiple directives, weighted with the {{glossary("quality values", "quality value")}} syntax:
Multiple directives with {{glossary("quality values")}} as weights:

```http
TE: trailers, deflate;q=0.5
```

## Directives

- `compress`
- : A format using the [Lempel-Ziv-Welch](https://en.wikipedia.org/wiki/LZW) (LZW) algorithm is
accepted as a transfer coding name.
- : A format using the [Lempel-Ziv-Welch](https://en.wikipedia.org/wiki/LZW) (LZW) algorithm is accepted as a transfer coding name.
- `deflate`
- : Using the [zlib](https://en.wikipedia.org/wiki/Zlib)
structure is accepted as a transfer coding name.
- : Using the [zlib](https://en.wikipedia.org/wiki/Zlib) structure is accepted as a transfer coding name.
- `gzip`
- : A format using the [Lempel-Ziv coding](https://en.wikipedia.org/wiki/LZ77_and_LZ78#LZ77)
(LZ77), with a 32-bit CRC is accepted as a transfer coding name.
- : A format using the [Lempel-Ziv coding](https://en.wikipedia.org/wiki/LZ77_and_LZ78#LZ77) (LZ77), with a 32-bit CRC is accepted as a transfer coding name.
- `trailers`
- : Indicates that the client is willing to accept trailer fields in a chunked transfer
coding.
- : Indicates that the client is willing to accept trailer fields in a chunked transfer coding.
- `q`
- : When multiple transfer codings are acceptable, the `q` parameter of the
[quality value](/en-US/docs/Glossary/Quality_values) syntax can rank
codings by preference.
- : When multiple transfer codings are acceptable, the `q` parameter ({{glossary("quality values")}}) syntax can order codings by preference.

## Specifications

Expand Down
3 changes: 2 additions & 1 deletion files/en-us/web/http/headers/timing-allow-origin/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,5 @@ Timing-Allow-Origin: https://developer.mozilla.org
## See also

- [Resource Timing API](/en-US/docs/Web/API/Performance_API/Resource_timing)
- {{HTTPHeader("Vary")}}
- {{HTTPHeader("Server-Timing")}} header
- {{HTTPHeader("Vary")}} header
Loading

0 comments on commit 3cb5848

Please sign in to comment.