Are Duplicate HTTP Response Headers acceptable?

Http Headers

Http Headers Problem Overview

I have not found any specification about whether duplicate HTTP response headers are allowed by the standard, but I need to know if this will cause compatibility issues.

Say I have a response header like this:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
Cache-Control: no-cache
Cache-Control: no-store
Location: http://localhost:9876/foo.bar
Content-Language: en-US
Content-Length: 0
Date: Mon, 06 Dec 2010 21:18:26 GMT

Notice that there are two Cache-Control headers with different values. Do browsers always treat them as if they are written like "Cache-Control: no-cache, no-store"?

Http Headers Solutions

Solution 1 - Http Headers

Yes

HTTP RFC2616 available here says:

> Multiple message-header fields with the same field-name MAY be present > in a message if and only if the entire field-value for that header > field is defined as a comma-separated list [i.e., #(values)]. It MUST > be possible to combine the multiple header fields into one > "field-name: field-value" pair, without changing the semantics of the > message, by appending each subsequent field-value to the first, each > separated by a comma. The order in which header fields with the same > field-name are received is therefore significant to the interpretation > of the combined field value, and thus a proxy MUST NOT change the > order of these field values when a message is forwarded

So, multiple headers with the same name is ok (www-authenticate is such a case) if the entire field-value is defined as a comma-separated list of values.

Cache-control is documented here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9 like this:

Cache-Control   = "Cache-Control" ":" 1#cache-directive

The #1cache-directive syntax defines a list of at least one cache-directive elements (see here for the formal definition of #values: Notational Conventions and Generic Grammar)

So, yes,

Cache-Control: no-cache, no-store

is equivalent to (order is important)

Cache-Control: no-cache
Cache-Control: no-store

Solution 2 - Http Headers

Note that the HSTS RFC6797 contradicts the RFC2616 (violating the "if and only if" language) by defining the behavior for multiple instances of the STS header, though it is not populated with comma-separated values:

  "If a UA receives more than one STS header field in an HTTP
  response message over secure transport, then the UA MUST process
  only the first such header field."
Categories
Recommended Http Headers Solutions

Previous Solution:

Is null reference possible?

C++ReferenceNullLanguage Lawyer

Next Solution:

Unable to load SOS in WinDbg

.Net 4.0WindbgSos

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionSu ZhangView Question on Stackoverflow
Solution 1 - Http HeadersSimon MourierView Answer on Stackoverflow
Solution 2 - Http HeadersPosterBoyView Answer on Stackoverflow