Develop Reference

Should an HTTP server respond with a more specific Content-Type than was requested?

For example, if the request was
GET /feed.xml HTTP/1.1
Host: www.nowhere123.com
Accept: application/xml
... would it be admissible for a server to respond with a header Content-Type: application/atom+xml (even though the request had Accept: application/xml), or should it serve the same body but with Content-Type: application/xml?

A server is allowed to ignore the header field, so yes, sending something more specific is ok. There's a reason why HTTP messages are self-descriptive. (see https://greenbytes.de/tech/webdav/rfc7231.html#rfc.section.5.3.2.p.7)

How to ignore a http header line with missing colon separator in golang

I am facing a problem in golang http server where client is sending a http request with invalid parameters in header. The request parameters are as follows:
GET /a-53-qf21489190x38856_2/yy HTTP/1.1
Host: xxx.xxx.xxx.xxx:80
User-Agent: mot-w845
Connection: Keep-Alive
Profile: http://10.213.2.68
X-MDN9035445271
accept: application/vnd.wap.mms-message
accept-language: en
accept-charset: US-ASCII, ISO-8859-1, UTF-8
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close
Here X-MDN9035445271 doesn't contain colon (:) separator, because of this server is returning bad request. Is there any way to ignore such kind of header and process the request normally.

Ignore or modify request headers in NGINX

I need to make NGINX ignore / modify a request header.
Problem is some IoT devices are sending a HEAD request with the wrong Content-Length header. That makes NGINX wait for more content and then timeout.
Both dropping the Content-Length header or setting it to 0 should do the trick.
Example
This fails
HEAD / HTTP/1.1
Host: MY_HOST
Content-Length: 59
Content-Type: text/html
Connection: close
This works (Content-Length: 0)
HEAD / HTTP/1.1
Host: MY_HOST
Content-Length: 0
Content-Type: text/html
Connection: close
This works too (no Content-Length)
HEAD / HTTP/1.1
Host: MY_HOST
Content-Type: text/html
Connection: close
How can I make it happen?

I discovered that there's a NGINX module named HeadersMore that allow modifying input headers (and more).
In particular more_clear_input_headers allows to remove input headers and more_set_input_headers allows to modify input headers.
In my case
more_clear_input_headers "Content-Length";
or
more_set_input_headers "Content-Length: 0";

Atmosphere js headers sets parameters - not request headers

I need to disable compression for atmosphere request headers. so instead of:
Accept-Encoding: gzip, deflate
I want to change this to:
Accept-Encoding: identity
Here's the headers from the request atmosphere.js creates:
Accept text/event-stream
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Cache-Control no-cache
Connection keep-alive
Cookie JSESSIONID=791714A6221EEBBA
DNT 1
Host host
Pragma no-cache
Referer http://page url
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
I found in atmosphere documentation that you can specify headers:
headers [default = {}] A list of headers to send
But if I use this option:
headers={'Accept-Encoding':'identity'}
that gets passed as a request parameter- NOT a header.
Heres the request parameters that atmosphere.js creates:
Accept-Encoding identity
Content-Type application/json
X-Atmosphere-Framework 2.1.2-jquery
X-Atmosphere-Transport sse
X-Atmosphere-tracking-id 3a8f82b4-bbd9-48d8-907a-6e54ac94cbd6
X-Cache-Date 0
X-atmo-protocol true
Any ideas on how I can get Atmosphere to create requests without compression?

Just set request.attachHeadersAsQueryString = false

Cors Blocks Request with status 403 on Nginx

I am facing a strange issue with running CORS on Nginx, CORS is working fine for everything but one scenario when the Server responds with a 403 http response.
Basically when I login with correct credentials the cors request works fine , however when I provide wrong credentials for login the server(backend) responds with a 403 status and I get the following error
"NetworkError: 403 Forbidden - http://mydomain.com/v1/login"
login
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://mydomain.com/v1/login. This can be fixed by moving the resource to the same domain or enabling CORS.
If the credentials are correct I don't get this error and everything works perfectly.
I have done the configuration for enabling CORS and it seems to be working fine for everything else.
Following are the Request Headers
Request Headers
User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Referer:http://abc.mydomain.com/
Pragma: no-cache
Origin: http://abc.mydomain.com
Host: www.mydomain.com
Content-Type: application/json;charset=utf-8
Content-Length: 74
Connection: keep-alive
Cache-Control: no-cache
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, /
Response Headers
Server: nginx/1.4.1
Date: Tue, 10 Jun 2014 05:28:30 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 76
Connection: keep-alive

An option for nginx(>=1.75) is to specify always parameter in add_header :
If the always parameter is specified (1.7.5), the header field will be
added regardless of the response code.

I assume that you are using add_header directive to add CORS headers in the nginx configuration.
Nginx modules reference states about add_header:
Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
To fix problem you could use ngx_headers_more module to set CORS headers also to error responses.
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Headers: Content-Type, Origin, Accept, Cookie';