Internet Explorer and Custom HTTP Headers

Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years.  Here's the list I've come up with so far (including a few that were introduced before I joined the team):

Request Headers



Allows a website to determine what CPU a client is using ("x86" or "AMD64" or "IA64"). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.


Response Headers



Introduced in IE6 Betas for a “SmartTags” feature which never shipped in the final version. This meta tag has no effect on any non-beta version of IE.


Incidentally, it looks like some sites might also be trying to use "X-Meta-MSThemeCompatible" and "X-Meta-imagetoolbar" to control IE features, although as far as I can tell, these directives were never respected as headers.



Introduced in IE5 (or 6?) to allow proxies to specify that they understand NTLM/Negotiate authentication schemes.  It has one legal value ("Session-Based-Authentication").  If present, IE will permit the multi-step NTLM/Negotiate handshake to take place through a proxy server.  Otherwise, the 401 is treated as a fatal error and returned to the client.



Introduced in IE8 to allow sites to declare compatibility with a specific UA version.

Currently supported only in IE8. It looks like this one is quickly becoming common.



Introduced in IE8 to allow sites to opt-out of the XSS Filter.  Legal values "0" and "1":

Currently supported only in IE8.



Introduced in IE8 to opt-out of MIME sniffing.

Currently only supported in IE8.  Broadly used on some major sites, including Google.



Introduced in IE8 to control visibility of the "Open" button on the file download dialog.

Partially obsoletes existing "DownloadOptions" META tag:

Currently only supported in IE8.



Introduced in IE8 to help mitigate ClickJacking ("UI-Redress") attacks.

Supported in IE8 and Safari 4. It looks like this one is quickly becoming common.

If I've missed any, please let me know.  🙂


Comments (0)

Skip to main content