Internet Explorer and Custom HTTP Headers

  • Article

Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years.  Here's the list I've come up with so far (including a few that were introduced before I joined the team):

Request Headers

 

UA-CPU

Allows a website to determine what CPU a client is using ("x86" or "AMD64" or "IA64"). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.

 

Response Headers

 

X-Meta-MSSmartTagsPreventParsing

Introduced in IE6 Betas for a “SmartTags” feature which never shipped in the final version. This meta tag has no effect on any non-beta version of IE.

Incidentally, it looks like some sites might also be trying to use "X-Meta-MSThemeCompatible" and "X-Meta-imagetoolbar" to control IE features, although as far as I can tell, these directives were never respected as headers.

 

Proxy-Support

Introduced in IE5 (or 6?) to allow proxies to specify that they understand NTLM/Negotiate authentication schemes. It has one legal value ("Session-Based-Authentication"). If present, IE will permit the multi-step NTLM/Negotiate handshake to take place through a proxy server. Otherwise, the 401 is treated as a fatal error and returned to the client.

 

X-UA-Compatible

Introduced in IE8 to allow sites to declare compatibility with a specific UA version.

https://blogs.msdn.com/ie/archive/2008/06/10/introducing-ie-emulateie7.aspx

Currently supported only in IE8. It looks like this one is quickly becoming common.

 

X-XSS-Protection

Introduced in IE8 to allow sites to opt-out of the XSS Filter. Legal values "0" and "1":

https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

Currently supported only in IE8.

 

X-Content-Type-Options

Introduced in IE8 to opt-out of MIME sniffing.

https://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

Currently only supported in IE8. Broadly used on some major sites, including Google.

 

X-Download-Options

Introduced in IE8 to control visibility of the "Open" button on the file download dialog.

https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Partially obsoletes existing "DownloadOptions" META tag:

https://msdn.microsoft.com/en-us/library/ms533689(VS.85).aspx

Currently only supported in IE8.

 

X-Frame-Options

Introduced in IE8 to help mitigate ClickJacking ("UI-Redress") attacks.

https://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Supported in IE8 and Safari 4. It looks like this one is quickly becoming common.

If I've missed any, please let me know.  :-)

-Eric