Why do HTTP servers forbid underscores in HTTP header names

Question

I had a problem with a custom HTTP SESSION_ID header not being transfered by nginx proxy.

I was told that underscores are prohibited according to the HTTP RFC.

Searching, I found that most servers like Apache or nginx define them as illegal in RFC2616 section 4.2, which says:

follow the same generic format as that given in Section 3.1 of RFC 822 [9]

The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon)

Underscore is decimal character 95 in the ASCII table in the 33-126 range.

What am I missing?

score 167 · Accepted Answer · edited Mar 25 '20 at 04:42

167

They are not forbidden, it's CGI legacy. See "Missing (disappearing) HTTP Headers".

If you do not explicitly set underscores_in_headers on;, nginx will silently drop HTTP headers with underscores (which are perfectly valid according to the HTTP standard). This is done in order to prevent ambiguities when mapping headers to CGI variables, as both dashes and underscores are mapped to underscores during that process.

edited Mar 25 '20 at 04:42

the Tin Man

155,156
41
207
295

answered Apr 04 '14 at 07:58

Alexey Ten

12,922
5
42
52

29

Just spent hours debugging why my rails app works fine in development but not on production because of this :/ – Qwertie Aug 30 '17 at 00:49
11

Just spent hours debugging why my NodeJS app works fine in development but not on production because of this :/ – jujule Sep 24 '20 at 22:00
3

Just spent hours debugging why my Flask app works fine in development but not on production because of this :/ – SilverTear Aug 09 '21 at 04:29
Link to answer for Apache: https://stackoverflow.com/questions/17440564/all-caps-http-headers-with-underscores-dropped-in-apache-2-4 – jumpjack Sep 24 '21 at 08:21
4

Just spent 5 minutes debugging why my flask app doesnt work in dev or production and then thankfully stumbled upon this thread. Phew, dodged a bullet. – joidegn Sep 30 '21 at 09:28
Just spend days checking why app works locally but not in prod (kubernetes with nginx ingress) – faron Mar 21 '22 at 13:10

score 23 · Answer 2 · edited Oct 07 '21 at 05:49

23

Underscores in header fields are allowed per RFC 7230, sec. 3.2., but are uncommon.

edited Oct 07 '21 at 05:49

Community

1
1

answered Apr 04 '14 at 08:52

Julian Reschke

37,619
8
86
92

Why do HTTP servers forbid underscores in HTTP header names

2 Answers2

Linked

Related