Internet Explorer and Custom HTTP Headers
Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years. Here's the list I've come up with so far (including a few that were introduced before I joined the team):
Request Headers
UA-CPU
Allows a website to determine what CPU a client is using ("x86" or "AMD64" or "IA64"). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.
Response Headers
X-Meta-MSSmartTagsPreventParsing
Introduced in IE6 Betas for a “SmartTags” feature which never shipped in the final version. This meta tag has no effect on any non-beta version of IE.
Incidentally, it looks like some sites might also be trying to use "X-Meta-MSThemeCompatible" and "X-Meta-imagetoolbar" to control IE features, although as far as I can tell, these directives were never respected as headers.
Proxy-Support
Introduced in IE5 (or 6?) to allow proxies to specify that they understand NTLM/Negotiate authentication schemes. It has one legal value ("Session-Based-Authentication"). If present, IE will permit the multi-step NTLM/Negotiate handshake to take place through a proxy server. Otherwise, the 401 is treated as a fatal error and returned to the client.
X-UA-Compatible
Introduced in IE8 to allow sites to declare compatibility with a specific UA version.
https://blogs.msdn.com/ie/archive/2008/06/10/introducing-ie-emulateie7.aspx
Currently supported only in IE8. It looks like this one is quickly becoming common.
X-XSS-Protection
Introduced in IE8 to allow sites to opt-out of the XSS Filter. Legal values "0" and "1":
https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Currently supported only in IE8.
X-Content-Type-Options
Introduced in IE8 to opt-out of MIME sniffing.
https://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
Currently only supported in IE8. Broadly used on some major sites, including Google.
X-Download-Options
Introduced in IE8 to control visibility of the "Open" button on the file download dialog.
https://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Partially obsoletes existing "DownloadOptions" META tag:
https://msdn.microsoft.com/en-us/library/ms533689(VS.85).aspx
Currently only supported in IE8.
X-Frame-Options
Introduced in IE8 to help mitigate ClickJacking ("UI-Redress") attacks.
https://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
Supported in IE8 and Safari 4. It looks like this one is quickly becoming common.
If I've missed any, please let me know. :-)
-Eric