Skip to content

Request headers used

Will Pearson edited this page Mar 6, 2026 · 11 revisions

In order to make further decisions on request headers we decided to keep a list

These were found using git grep headers\\.get and looking at headers sent during a request normally .

The links are indicative they will get out of date, but seemed worth doing.

The following is a list of public facing code bases with headers in each.

Headers potentially used by all flask apps viawerkzeug

  • accept-encoding
  • Expect
  • content-type
  • Content-Length
  • host
  • transfer-encoding
  • pragma
  • Accept
  • Accept-charset
  • Accept-language
  • Cache-control
  • If-Match
  • If-None-Match
  • If-modified-since
  • If-unmodified-since
  • If-range
  • range
  • user-agent
  • Authorization
  • etag
  • location
  • last-modified

notifications-utils

notifications-api

notifications-admin

  • X-Forwarded-For
  • Any use of session implies cookies, implies the cookie header

document-download-frontend

Nothing found

document-download-api

Some other headers that are set that we might want for logging or are consumed by other parts of the infra (or by flask). These are sent in normal requests to admin in chrome

  • :authority
  • :method
  • :path
  • :scheme
  • accept
  • accept-language
  • cache-control
  • cookie
  • priority
  • referer
  • sec-ch-ua
  • sec-ch-ua-mobile
  • sec-ch-ua-platform
  • sec-fetch-dest
  • sec-fetch-mode
  • sec-fetch-site
  • sec-fetch-user
  • upgrade-insecure-requests
  • user-agent

Clone this wiki locally