Documentation Index
Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
Use this file to discover all available pages before exploring further.
What are HTTP Headers?
Headers are key-value pairs sent with every HTTP request and response. They carry important metadata about the request, like authentication tokens, content types, and client information.MDN Web DocsRead more on HTTP headers.
Common Headers You’ll Encounter
Authentication & Security
- Authorization: Bearer tokens, API keys
- Cookie: Session identifiers
- X-API-Key: Custom API authentication
- X-CSRF-Token: Cross-site request forgery protection
Content & Format
- Content-Type: Format of request body (application/json, text/html)
- Accept: What formats the client can handle
- Content-Length: Size of the request body
Client Information
- User-Agent: Browser or application identifier
- Referer: Previous page URL
- X-Forwarded-For: Original IP behind proxies
- Host: Target domain
Custom Headers
- X-Request-ID: Request tracking
- X-Customer-ID: Business identifiers
- X-Feature-Flag: Feature toggles
How Headers Work on the Web
Headers flow through every web interaction:- Browser adds headers automatically (User-Agent, Accept, etc.)
- JavaScript adds headers for API calls (Authorization, Custom headers)
- Proxies add headers (X-Forwarded-For, X-Real-IP)
- Your app reads headers for authentication and routing
Using Headers in Policies
Basic Examples
Block requests missing authentication:Advanced Patterns
Rate limit by API key:ExampleUnusual header combinations can identify requests that should be monitored or
blocked by policy.
Header Operators
| Operator | Use Case | Example |
|---|---|---|
| equals | Exact match | Authorization: Bearer abc123 |
| contains | Partial match | User-Agent contains “Python” |
| starts with | Prefix match | Authorization starts with “Bearer” |
| is present | Header exists | X-Custom-Header is present |
| is not present | Header missing | Authorization is not present |
Security-Critical Headers
Headers to Monitor Closely
| Header | Why It’s Important | What to Look For |
|---|---|---|
| Authorization | Contains credentials | Missing, malformed tokens |
| X-Forwarded-For | Real client IP | IP spoofing attempts |
| Origin | Request source | Cross-origin attacks |
| Content-Type | Data format | Unexpected types for endpoints |
| Host | Target domain | Host header injection |
Headers That Reveal Attacks
Best Practices
DO:
- Validate authentication headers - Ensure they’re present and properly formatted
- Check Content-Type - Match expected formats for each endpoint
- Monitor custom headers - Track your application-specific headers
- Look for header anomalies - Unusual combinations can reveal attacks
- Use header presence checks - Sometimes missing headers are suspicious
DON’T:
- Trust client headers blindly - They can be spoofed
- Block common User-Agents carelessly - You might block legitimate users
- Forget about case sensitivity - HTTP headers are case-insensitive
- Expose sensitive data - Never put passwords or secrets in headers
- Ignore header injection - Validate header values for malicious content
Common Attack Patterns
Header Injection
Authentication Bypass Attempts
Traffic Protection
Working with Multiple Headers
Sometimes you need to check multiple headers together:Custom Headers for Your Application
Many applications use custom headers:Troubleshooting
“My header policy isn’t matching”- Headers are case-insensitive but values might not be
- Check for spaces and special characters
- Verify the exact header name in browser DevTools
- Some proxies modify headers
- Proxies and load balancers add headers
- Browsers send different headers than mobile apps
- Some security tools modify User-Agent
Related Fields
- Request Method - Headers vary by method
- Cookies - Special header for session data
- Client IP - Often in X-Forwarded-For header
- User Agent - Specific header for client identification