Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is wrong with custom http headers? Like these from Cloudfront:

X-Ua-Compatible: IE=Edge,chrome=1

X-Request-Id: 19c0a05fd28e371127a76f658203eace

X-Runtime: 0.002039

X-Content-Digest: 2c4b5e9fc815a69ecb514e41e27e6ac7f2716801

X-Rack-Cache: miss, store

X-Varnish: 1299462197

X-Cache: Hit from cloudfront

X-Amz-Cf-Id: kDpGVcaIcDVQm-PkMd_FPnR_IcPZqPgR0NxKEvmOBWKaURpeus5vEw==,_ycCBrLJT91EOYt14GTciFKKLlpzLt1cogvPpK2PkDP7QzYVGbcsGQ==



Appendix B:

    The primary problem with the "X-" convention is that unstandardized
   parameters have a tendency to leak into the protected space of
   standardized parameters, thus introducing the need for migration from
   the "X-" name to a standardized name.  Migration, in turn, introduces
   interoperability issues (and sometimes security issues) because older
   implementations will support only the "X-" name and newer
   implementations might support only the standardized name.  To
   preserve interoperability, newer implementations simply support the
   "X-" name forever, which means that the unstandardized name has
   become a de facto standard (thus obviating the need for segregation
   of the name space into standardized and unstandardized areas in the
   first place).
Most of your examples are covered under the "exception 1" clause, also in Appendix B:

   In some situations, segregating the parameter name space used in a
   given application protocol can be justified:

   1.  When it is extremely unlikely that some parameters will ever be
       standardized...
   2.  When parameter names might have significant meaning...
   3.  When parameter names need to be very short (e.g., as in [RFC5646]
       for language tags)...


They aren't complaining about custom http headers it's just the practise of using "X-" on front of the names.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: