Google Git
Sign in
apache / incubator-teaclave-sgx-sdk / refs/tags/v1.0.1 / . / third_party / http / util / src / main.rs
blob: fccf5da0a9191991e4cca9efd783f3895b8af3fb [file] [log] [blame]
macro_rules! standard_headers {
(
$(
$doc:expr,
$name:expr;
)+
) => {
const HEADERS: &[(&'static str, &'static str)] = &[
$(
($doc, $name),
)+
];
}
}
standard_headers! {
r#"
/// Advertises which content types the client is able to understand.
///
/// The Accept request HTTP header advertises which content types, expressed
/// as MIME types, the client is able to understand. Using content
/// negotiation, the server then selects one of the proposals, uses it and
/// informs the client of its choice with the Content-Type response header.
/// Browsers set adequate values for this header depending of the context
/// where the request is done: when fetching a CSS stylesheet a different
/// value is set for the request than when fetching an image, video or a
/// script.
"#,
"accept";
r#"
/// Advertises which character set the client is able to understand.
///
/// The Accept-Charset request HTTP header advertises which character set
/// the client is able to understand. Using content negotiation, the server
/// then selects one of the proposals, uses it and informs the client of its
/// choice within the Content-Type response header. Browsers usually don't
/// set this header as the default value for each content type is usually
/// correct and transmitting it would allow easier fingerprinting.
///
/// If the server cannot serve any matching character set, it can
/// theoretically send back a 406 (Not Acceptable) error code. But, for a
/// better user experience, this is rarely done and the more common way is
/// to ignore the Accept-Charset header in this case.
"#,
"accept-charset";
r#"
/// Advertises which content encoding the client is able to understand.
///
/// The Accept-Encoding request HTTP header advertises which content
/// encoding, usually a compression algorithm, the client is able to
/// understand. Using content negotiation, the server selects one of the
/// proposals, uses it and informs the client of its choice with the
/// Content-Encoding response header.
///
/// Even if both the client and the server supports the same compression
/// algorithms, the server may choose not to compress the body of a
/// response, if the identity value is also acceptable. Two common cases
/// lead to this:
///
/// * The data to be sent is already compressed and a second compression
/// won't lead to smaller data to be transmitted. This may the case with
/// some image formats;
///
/// * The server is overloaded and cannot afford the computational overhead
/// induced by the compression requirement. Typically, Microsoft recommends
/// not to compress if a server use more than 80 % of its computational
/// power.
///
/// As long as the identity value, meaning no encryption, is not explicitly
/// forbidden, by an identity;q=0 or a *;q=0 without another explicitly set
/// value for identity, the server must never send back a 406 Not Acceptable
/// error.
"#,
"accept-encoding";
r#"
/// Advertises which languages the client is able to understand.
///
/// The Accept-Language request HTTP header advertises which languages the
/// client is able to understand, and which locale variant is preferred.
/// Using content negotiation, the server then selects one of the proposals,
/// uses it and informs the client of its choice with the Content-Language
/// response header. Browsers set adequate values for this header according
/// their user interface language and even if a user can change it, this
/// happens rarely (and is frown upon as it leads to fingerprinting).
///
/// This header is a hint to be used when the server has no way of
/// determining the language via another way, like a specific URL, that is
/// controlled by an explicit user decision. It is recommended that the
/// server never overrides an explicit decision. The content of the
/// Accept-Language is often out of the control of the user (like when
/// traveling and using an Internet Cafe in a different country); the user
/// may also want to visit a page in another language than the locale of
/// their user interface.
///
/// If the server cannot serve any matching language, it can theoretically
/// send back a 406 (Not Acceptable) error code. But, for a better user
/// experience, this is rarely done and more common way is to ignore the
/// Accept-Language header in this case.
"#,
"accept-language";
r#"
/// Advertises which patch formats the server is able to understand.
///
/// Accept-Patch should appear in the OPTIONS response for any resource that
/// supports the use of the PATCH method. The presence of the
/// Accept-Patch header in response to any method is an implicit indication
/// that PATCH is allowed on the resource identified by the URI. The
/// presence of a specific patch document format in this header indicates
/// that that specific format is allowed on the resource identified by the
/// URI.
"#,
"accept-patch";
r#"
/// Marker used by the server to advertise partial request support.
///
/// The Accept-Ranges response HTTP header is a marker used by the server to
/// advertise its support of partial requests. The value of this field
/// indicates the unit that can be used to define a range.
///
/// In presence of an Accept-Ranges header, the browser may try to resume an
/// interrupted download, rather than to start it from the start again.
"#,
"accept-ranges";
r#"
/// Preflight response indicating if the response to the request can be
/// exposed to the page.
///
/// The Access-Control-Allow-Credentials response header indicates whether
/// or not the response to the request can be exposed to the page. It can be
/// exposed when the true value is returned; it can't in other cases.
///
/// Credentials are cookies, authorization headers or TLS client
/// certificates.
///
/// When used as part of a response to a preflight request, this indicates
/// whether or not the actual request can be made using credentials. Note
/// that simple GET requests are not preflighted, and so if a request is
/// made for a resource with credentials, if this header is not returned
/// with the resource, the response is ignored by the browser and not
/// returned to web content.
///
/// The Access-Control-Allow-Credentials header works in conjunction with
/// the XMLHttpRequest.withCredentials property or with the credentials
/// option in the Request() constructor of the Fetch API. Credentials must
/// be set on both sides (the Access-Control-Allow-Credentials header and in
/// the XHR or Fetch request) in order for the CORS request with credentials
/// to succeed.
"#,
"access-control-allow-credentials";
r#"
/// Preflight response indicating permitted HTTP headers.
///
/// The Access-Control-Allow-Headers response header is used in response to
/// a preflight request to indicate which HTTP headers will be available via
/// Access-Control-Expose-Headers when making the actual request.
///
/// The simple headers, Accept, Accept-Language, Content-Language,
/// Content-Type (but only with a MIME type of its parsed value (ignoring
/// parameters) of either application/x-www-form-urlencoded,
/// multipart/form-data, or text/plain), are always available and don't need
/// to be listed by this header.
///
/// This header is required if the request has an
/// Access-Control-Request-Headers header.
"#,
"access-control-allow-headers";
r#"
/// Preflight header response indicating permitted access methods.
///
/// The Access-Control-Allow-Methods response header specifies the method or
/// methods allowed when accessing the resource in response to a preflight
/// request.
"#,
"access-control-allow-methods";
r#"
/// Indicates whether the response can be shared with resources with the
/// given origin.
"#,
"access-control-allow-origin";
r#"
/// Indicates which headers can be exposed as part of the response by
/// listing their names.
"#,
"access-control-expose-headers";
r#"
/// Indicates how long the results of a preflight request can be cached.
"#,
"access-control-max-age";
r#"
/// Informs the server which HTTP headers will be used when an actual
/// request is made.
"#,
"access-control-request-headers";
r#"
/// Informs the server know which HTTP method will be used when the actual
/// request is made.
"#,
"access-control-request-method";
r#"
/// Indicates the time in seconds the object has been in a proxy cache.
///
/// The Age header is usually close to zero. If it is Age: 0, it was
/// probably just fetched from the origin server; otherwise It is usually
/// calculated as a difference between the proxy's current date and the Date
/// general header included in the HTTP response.
"#,
"age";
r#"
/// Lists the set of methods support by a resource.
///
/// This header must be sent if the server responds with a 405 Method Not
/// Allowed status code to indicate which request methods can be used. An
/// empty Allow header indicates that the resource allows no request
/// methods, which might occur temporarily for a given resource, for
/// example.
"#,
"allow";
r#"
/// Advertises the availability of alternate services to clients.
"#,
"alt-svc";
r#"
/// Contains the credentials to authenticate a user agent with a server.
///
/// Usually this header is included after the server has responded with a
/// 401 Unauthorized status and the WWW-Authenticate header.
"#,
"authorization";
r#"
/// Specifies directives for caching mechanisms in both requests and
/// responses.
///
/// Caching directives are unidirectional, meaning that a given directive in
/// a request is not implying that the same directive is to be given in the
/// response.
"#,
"cache-control";
r#"
/// Controls whether or not the network connection stays open after the
/// current transaction finishes.
///
/// If the value sent is keep-alive, the connection is persistent and not
/// closed, allowing for subsequent requests to the same server to be done.
///
/// Except for the standard hop-by-hop headers (Keep-Alive,
/// Transfer-Encoding, TE, Connection, Trailer, Upgrade, Proxy-Authorization
/// and Proxy-Authenticate), any hop-by-hop headers used by the message must
/// be listed in the Connection header, so that the first proxy knows he has
/// to consume them and not to forward them further. Standard hop-by-hop
/// headers can be listed too (it is often the case of Keep-Alive, but this
/// is not mandatory.
"#,
"connection";
r#"
/// Indicates if the content is expected to be displayed inline.
///
/// In a regular HTTP response, the Content-Disposition response header is a
/// header indicating if the content is expected to be displayed inline in
/// the browser, that is, as a Web page or as part of a Web page, or as an
/// attachment, that is downloaded and saved locally.
///
/// In a multipart/form-data body, the HTTP Content-Disposition general
/// header is a header that can be used on the subpart of a multipart body
/// to give information about the field it applies to. The subpart is
/// delimited by the boundary defined in the Content-Type header. Used on
/// the body itself, Content-Disposition has no effect.
///
/// The Content-Disposition header is defined in the larger context of MIME
/// messages for e-mail, but only a subset of the possible parameters apply
/// to HTTP forms and POST requests. Only the value form-data, as well as
/// the optional directive name and filename, can be used in the HTTP
/// context.
"#,
"content-disposition";
r#"
/// Used to compress the media-type.
///
/// When present, its value indicates what additional content encoding has
/// been applied to the entity-body. It lets the client know, how to decode
/// in order to obtain the media-type referenced by the Content-Type header.
///
/// It is recommended to compress data as much as possible and therefore to
/// use this field, but some types of resources, like jpeg images, are
/// already compressed. Sometimes using additional compression doesn't
/// reduce payload size and can even make the payload longer.
"#,
"content-encoding";
r#"
/// Used to describe the languages intended for the audience.
///
/// This header allows a user to differentiate according to the users' own
/// preferred language. For example, if "Content-Language: de-DE" is set, it
/// says that the document is intended for German language speakers
/// (however, it doesn't indicate the document is written in German. For
/// example, it might be written in English as part of a language course for
/// German speakers).
///
/// If no Content-Language is specified, the default is that the content is
/// intended for all language audiences. Multiple language tags are also
/// possible, as well as applying the Content-Language header to various
/// media types and not only to textual documents.
"#,
"content-language";
r#"
/// Indicates the size fo the entity-body.
///
/// The header value must be a decimal indicating the number of octets sent
/// to the recipient.
"#,
"content-length";
r#"
/// Indicates an alternate location for the returned data.
///
/// The principal use case is to indicate the URL of the resource
/// transmitted as the result of content negotiation.
///
/// Location and Content-Location are different: Location indicates the
/// target of a redirection (or the URL of a newly created document), while
/// Content-Location indicates the direct URL to use to access the resource,
/// without the need of further content negotiation. Location is a header
/// associated with the response, while Content-Location is associated with
/// the entity returned.
"#,
"content-location";
r#"
/// Contains the MD5 digest of the entity-body.
///
/// The Content-MD5 entity-header field, as defined in RFC 1864 [23], is an
/// MD5 digest of the entity-body for the purpose of providing an end-to-end
/// message integrity check (MIC) of the entity-body. (Note: a MIC is good
/// for detecting accidental modification of the entity-body in transit, but
/// is not proof against malicious attacks.)
"#,
"content-md5";
r#"
/// Indicates where in a full body message a partial message belongs.
"#,
"content-range";
r#"
/// Allows controlling resources the user agent is allowed to load for a
/// given page.
///
/// With a few exceptions, policies mostly involve specifying server origins
/// and script endpoints. This helps guard against cross-site scripting
/// attacks (XSS).
"#,
"content-security-policy";
r#"
/// Allows experimenting with policies by monitoring their effects.
///
/// The HTTP Content-Security-Policy-Report-Only response header allows web
/// developers to experiment with policies by monitoring (but not enforcing)
/// their effects. These violation reports consist of JSON documents sent
/// via an HTTP POST request to the specified URI.
"#,
"content-security-policy-report-only";
r#"
/// Used to indicate the media type of the resource.
///
/// In responses, a Content-Type header tells the client what the content
/// type of the returned content actually is. Browsers will do MIME sniffing
/// in some cases and will not necessarily follow the value of this header;
/// to prevent this behavior, the header X-Content-Type-Options can be set
/// to nosniff.
///
/// In requests, (such as POST or PUT), the client tells the server what
/// type of data is actually sent.
"#,
"content-type";
r#"
/// Contains stored HTTP cookies previously sent by the server with the
/// Set-Cookie header.
///
/// The Cookie header might be omitted entirely, if the privacy setting of
/// the browser are set to block them, for example.
"#,
"cookie";
r#"
/// Indicates the client's tracking preference.
///
/// This header lets users indicate whether they would prefer privacy rather
/// than personalized content.
"#,
"dnt";
r#"
/// Contains the date and time at which the message was originated.
"#,
"date";
r#"
/// Identifier for a specific version of a resource.
///
/// This header allows caches to be more efficient, and saves bandwidth, as
/// a web server does not need to send a full response if the content has
/// not changed. On the other side, if the content has changed, etags are
/// useful to help prevent simultaneous updates of a resource from
/// overwriting each other ("mid-air collisions").
///
/// If the resource at a given URL changes, a new Etag value must be
/// generated. Etags are therefore similar to fingerprints and might also be
/// used for tracking purposes by some servers. A comparison of them allows
/// to quickly determine whether two representations of a resource are the
/// same, but they might also be set to persist indefinitely by a tracking
/// server.
"#,
"etag";
r#"
/// Indicates expectations that need to be fulfilled by the server in order
/// to properly handle the request.
///
/// The only expectation defined in the specification is Expect:
/// 100-continue, to which the server shall respond with:
///
/// * 100 if the information contained in the header is sufficient to cause
/// an immediate success,
///
/// * 417 (Expectation Failed) if it cannot meet the expectation; or any
/// other 4xx status otherwise.
///
/// For example, the server may reject a request if its Content-Length is
/// too large.
///
/// No common browsers send the Expect header, but some other clients such
/// as cURL do so by default.
"#,
"expect";
r#"
/// Contains the date/time after which the response is considered stale.
///
/// Invalid dates, like the value 0, represent a date in the past and mean
/// that the resource is already expired.
///
/// If there is a Cache-Control header with the "max-age" or "s-max-age"
/// directive in the response, the Expires header is ignored.
"#,
"expires";
r#"
/// Contains information from the client-facing side of proxy servers that
/// is altered or lost when a proxy is involved in the path of the request.
///
/// The alternative and de-facto standard versions of this header are the
/// X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto headers.
///
/// This header is used for debugging, statistics, and generating
/// location-dependent content and by design it exposes privacy sensitive
/// information, such as the IP address of the client. Therefore the user's
/// privacy must be kept in mind when deploying this header.
"#,
"forwarded";
r#"
/// Contains an Internet email address for a human user who controls the
/// requesting user agent.
///
/// If you are running a robotic user agent (e.g. a crawler), the From
/// header should be sent, so you can be contacted if problems occur on
/// servers, such as if the robot is sending excessive, unwanted, or invalid
/// requests.
"#,
"from";
r#"
/// Specifies the domain name of the server and (optionally) the TCP port
/// number on which the server is listening.
///
/// If no port is given, the default port for the service requested (e.g.,
/// "80" for an HTTP URL) is implied.
///
/// A Host header field must be sent in all HTTP/1.1 request messages. A 400
/// (Bad Request) status code will be sent to any HTTP/1.1 request message
/// that lacks a Host header field or contains more than one.
"#,
"host";
r#"
/// Makes a request conditional based on the E-Tag.
///
/// For GET and HEAD methods, the server will send back the requested
/// resource only if it matches one of the listed ETags. For PUT and other
/// non-safe methods, it will only upload the resource in this case.
///
/// The comparison with the stored ETag uses the strong comparison
/// algorithm, meaning two files are considered identical byte to byte only.
/// This is weakened when the W/ prefix is used in front of the ETag.
///
/// There are two common use cases:
///
/// * For GET and HEAD methods, used in combination with an Range header, it
/// can guarantee that the new ranges requested comes from the same resource
/// than the previous one. If it doesn't match, then a 416 (Range Not
/// Satisfiable) response is returned.
///
/// * For other methods, and in particular for PUT, If-Match can be used to
/// prevent the lost update problem. It can check if the modification of a
/// resource that the user wants to upload will not override another change
/// that has been done since the original resource was fetched. If the
/// request cannot be fulfilled, the 412 (Precondition Failed) response is
/// returned.
"#,
"if-match";
r#"
/// Makes a request conditional based on the modification date.
///
/// The If-Modified-Since request HTTP header makes the request conditional:
/// the server will send back the requested resource, with a 200 status,
/// only if it has been last modified after the given date. If the request
/// has not been modified since, the response will be a 304 without any
/// body; the Last-Modified header will contain the date of last
/// modification. Unlike If-Unmodified-Since, If-Modified-Since can only be
/// used with a GET or HEAD.
///
/// When used in combination with If-None-Match, it is ignored, unless the
/// server doesn't support If-None-Match.
///
/// The most common use case is to update a cached entity that has no
/// associated ETag.
"#,
"if-modified-since";
r#"
/// Makes a request conditional based on the E-Tag.
///
/// The If-None-Match HTTP request header makes the request conditional. For
/// GET and HEAD methods, the server will send back the requested resource,
/// with a 200 status, only if it doesn't have an ETag matching the given
/// ones. For other methods, the request will be processed only if the
/// eventually existing resource's ETag doesn't match any of the values
/// listed.
///
/// When the condition fails for GET and HEAD methods, then the server must
/// return HTTP status code 304 (Not Modified). For methods that apply
/// server-side changes, the status code 412 (Precondition Failed) is used.
/// Note that the server generating a 304 response MUST generate any of the
/// following header fields that would have been sent in a 200 (OK) response
/// to the same request: Cache-Control, Content-Location, Date, ETag,
/// Expires, and Vary.
///
/// The comparison with the stored ETag uses the weak comparison algorithm,
/// meaning two files are considered identical not only if they are
/// identical byte to byte, but if the content is equivalent. For example,
/// two pages that would differ only by the date of generation in the footer
/// would be considered as identical.
///
/// When used in combination with If-Modified-Since, it has precedence (if
/// the server supports it).
///
/// There are two common use cases:
///
/// * For `GET` and `HEAD` methods, to update a cached entity that has an associated ETag.
/// * For other methods, and in particular for `PUT`, `If-None-Match` used with
/// the `*` value can be used to save a file not known to exist,
/// guaranteeing that another upload didn't happen before, losing the data
/// of the previous put; this problems is the variation of the lost update
/// problem.
"#,
"if-none-match";
r#"
/// Makes a request conditional based on range.
///
/// The If-Range HTTP request header makes a range request conditional: if
/// the condition is fulfilled, the range request will be issued and the
/// server sends back a 206 Partial Content answer with the appropriate
/// body. If the condition is not fulfilled, the full resource is sent back,
/// with a 200 OK status.
///
/// This header can be used either with a Last-Modified validator, or with
/// an ETag, but not with both.
///
/// The most common use case is to resume a download, to guarantee that the
/// stored resource has not been modified since the last fragment has been
/// received.
"#,
"if-range";
r#"
/// Makes the request conditional based on the last modification date.
///
/// The If-Unmodified-Since request HTTP header makes the request
/// conditional: the server will send back the requested resource, or accept
/// it in the case of a POST or another non-safe method, only if it has not
/// been last modified after the given date. If the request has been
/// modified after the given date, the response will be a 412 (Precondition
/// Failed) error.
///
/// There are two common use cases:
///
/// * In conjunction non-safe methods, like POST, it can be used to
/// implement an optimistic concurrency control, like done by some wikis:
/// editions are rejected if the stored document has been modified since the
/// original has been retrieved.
///
/// * In conjunction with a range request with a If-Range header, it can be
/// used to ensure that the new fragment requested comes from an unmodified
/// document.
"#,
"if-unmodified-since";
r#"
/// Content-Types that are acceptable for the response.
"#,
"last-modified";
r#"
/// Hint about how the connection and may be used to set a timeout and a
/// maximum amount of requests.
"#,
"keep-alive";
r#"
/// Allows the server to point an interested client to another resource
/// containing metadata about the requested resource.
"#,
"link";
r#"
/// Indicates the URL to redirect a page to.
///
/// The Location response header indicates the URL to redirect a page to. It
/// only provides a meaning when served with a 3xx status response.
///
/// The HTTP method used to make the new request to fetch the page pointed
/// to by Location depends of the original method and of the kind of
/// redirection:
///
/// * If 303 (See Also) responses always lead to the use of a GET method,
/// 307 (Temporary Redirect) and 308 (Permanent Redirect) don't change the
/// method used in the original request;
///
/// * 301 (Permanent Redirect) and 302 (Found) doesn't change the method
/// most of the time, though older user-agents may (so you basically don't
/// know).
///
/// All responses with one of these status codes send a Location header.
///
/// Beside redirect response, messages with 201 (Created) status also
/// include the Location header. It indicates the URL to the newly created
/// resource.
///
/// Location and Content-Location are different: Location indicates the
/// target of a redirection (or the URL of a newly created resource), while
/// Content-Location indicates the direct URL to use to access the resource
/// when content negotiation happened, without the need of further content
/// negotiation. Location is a header associated with the response, while
/// Content-Location is associated with the entity returned.
"#,
"location";
r#"
/// Indicates the max number of intermediaries the request should be sent
/// through.
"#,
"max-forwards";
r#"
/// Indicates where a fetch originates from.
///
/// It doesn't include any path information, but only the server name. It is
/// sent with CORS requests, as well as with POST requests. It is similar to
/// the Referer header, but, unlike this header, it doesn't disclose the
/// whole path.
"#,
"origin";
r#"
/// HTTP/1.0 header usually used for backwards compatibility.
///
/// The Pragma HTTP/1.0 general header is an implementation-specific header
/// that may have various effects along the request-response chain. It is
/// used for backwards compatibility with HTTP/1.0 caches where the
/// Cache-Control HTTP/1.1 header is not yet present.
"#,
"pragma";
r#"
/// Defines the authentication method that should be used to gain access to
/// a proxy.
///
/// Unlike `www-authenticate`, the `proxy-authenticate` header field applies
/// only to the next outbound client on the response chain. This is because
/// only the client that chose a given proxy is likely to have the
/// credentials necessary for authentication. However, when multiple proxies
/// are used within the same administrative domain, such as office and
/// regional caching proxies within a large corporate network, it is common
/// for credentials to be generated by the user agent and passed through the
/// hierarchy until consumed. Hence, in such a configuration, it will appear
/// as if Proxy-Authenticate is being forwarded because each proxy will send
/// the same challenge set.
///
/// The `proxy-authenticate` header is sent along with a `407 Proxy
/// Authentication Required`.
"#,
"proxy-authenticate";
r#"
/// Contains the credentials to authenticate a user agent to a proxy server.
///
/// This header is usually included after the server has responded with a
/// 407 Proxy Authentication Required status and the Proxy-Authenticate
/// header.
"#,
"proxy-authorization";
r#"
/// Associates a specific cryptographic public key with a certain server.
///
/// This decreases the risk of MITM attacks with forged certificates. If one
/// or several keys are pinned and none of them are used by the server, the
/// browser will not accept the response as legitimate, and will not display
/// it.
"#,
"public-key-pins";
r#"
/// Sends reports of pinning violation to the report-uri specified in the
/// header.
///
/// Unlike `Public-Key-Pins`, this header still allows browsers to connect
/// to the server if the pinning is violated.
"#,
"public-key-pins-report-only";
r#"
/// Indicates the part of a document that the server should return.
///
/// Several parts can be requested with one Range header at once, and the
/// server may send back these ranges in a multipart document. If the server
/// sends back ranges, it uses the 206 Partial Content for the response. If
/// the ranges are invalid, the server returns the 416 Range Not Satisfiable
/// error. The server can also ignore the Range header and return the whole
/// document with a 200 status code.
"#,
"range";
r#"
/// Contains the address of the previous web page from which a link to the
/// currently requested page was followed.
///
/// The Referer header allows servers to identify where people are visiting
/// them from and may use that data for analytics, logging, or optimized
/// caching, for example.
"#,
"referer";
r#"
/// Governs which referrer information should be included with requests
/// made.
"#,
"referrer-policy";
r#"
/// Informs the web browser that the current page or frame should be
/// refreshed.
"#,
"refresh";
r#"
/// The Retry-After response HTTP header indicates how long the user agent
/// should wait before making a follow-up request. There are two main cases
/// this header is used:
///
/// * When sent with a 503 (Service Unavailable) response, it indicates how
/// long the service is expected to be unavailable.
///
/// * When sent with a redirect response, such as 301 (Moved Permanently),
/// it indicates the minimum time that the user agent is asked to wait
/// before issuing the redirected request.
"#,
"retry-after";
r#"
/// Contains information about the software used by the origin server to
/// handle the request.
///
/// Overly long and detailed Server values should be avoided as they
/// potentially reveal internal implementation details that might make it
/// (slightly) easier for attackers to find and exploit known security
/// holes.
"#,
"server";
r#"
/// Used to send cookies from the server to the user agent.
"#,
"set-cookie";
r#"
/// Tells the client to communicate with HTTPS instead of using HTTP.
"#,
"strict-transport-security";
r#"
/// Informs the server of transfer encodings willing to be accepted as part
/// of the response.
///
/// See also the Transfer-Encoding response header for more details on
/// transfer encodings. Note that chunked is always acceptable for HTTP/1.1
/// recipients and you that don't have to specify "chunked" using the TE
/// header. However, it is useful for setting if the client is accepting
/// trailer fields in a chunked transfer coding using the "trailers" value.
"#,
"te";
r#"
/// Indicates the tracking status that applied to the corresponding request.
"#,
"tk";
r#"
/// Allows the sender to include additional fields at the end of chunked
/// messages.
"#,
"trailer";
r#"
/// Specifies the form of encoding used to safely transfer the entity to the
/// client.
///
/// `transfer-encoding` is a hop-by-hop header, that is applying to a
/// message between two nodes, not to a resource itself. Each segment of a
/// multi-node connection can use different `transfer-encoding` values. If
/// you want to compress data over the whole connection, use the end-to-end
/// header `content-encoding` header instead.
///
/// When present on a response to a `HEAD` request that has no body, it
/// indicates the value that would have applied to the corresponding `GET`
/// message.
"#,
"transfer-encoding";
r#"
/// A response to the client's tracking preference.
///
/// A tracking status value (TSV) is a single character response to the
/// user's tracking preference with regard to data collected via the
/// designated resource. For a site-wide tracking status resource, the
/// designated resource is any resource on the same origin server. For a Tk
/// response header field, the target resource of the corresponding request
/// is the designated resource, and remains so for any subsequent
/// request-specific tracking status resource referred to by the Tk field
/// value.
"#,
"tsv";
r#"
/// Contains a string that allows identifying the requesting client's
/// software.
"#,
"user-agent";
r#"
/// Used as part of the exchange to upgrade the protocol.
"#,
"upgrade";
r#"
/// Sends a signal to the server expressing the client’s preference for an
/// encrypted and authenticated response.
"#,
"upgrade-insecure-requests";
r#"
/// Determines how to match future requests with cached responses.
///
/// The `vary` HTTP response header determines how to match future request
/// headers to decide whether a cached response can be used rather than
/// requesting a fresh one from the origin server. It is used by the server
/// to indicate which headers it used when selecting a representation of a
/// resource in a content negotiation algorithm.
///
/// The `vary` header should be set on a 304 Not Modified response exactly
/// like it would have been set on an equivalent 200 OK response.
"#,
"vary";
r#"
/// Added by proxies to track routing.
///
/// The `via` general header is added by proxies, both forward and reverse
/// proxies, and can appear in the request headers and the response headers.
/// It is used for tracking message forwards, avoiding request loops, and
/// identifying the protocol capabilities of senders along the
/// request/response chain.
"#,
"via";
r#"
/// General HTTP header contains information about possible problems with
/// the status of the message.
///
/// More than one `warning` header may appear in a response. Warning header
/// fields can in general be applied to any message, however some warn-codes
/// are specific to caches and can only be applied to response messages.
"#,
"warning";
r#"
/// Defines the authentication method that should be used to gain access to
/// a resource.
"#,
"www-authenticate";
r#"
/// Marker used by the server to indicate that the MIME types advertised in
/// the `content-type` headers should not be changed and be followed.
///
/// This allows to opt-out of MIME type sniffing, or, in other words, it is
/// a way to say that the webmasters knew what they were doing.
///
/// This header was introduced by Microsoft in IE 8 as a way for webmasters
/// to block content sniffing that was happening and could transform
/// non-executable MIME types into executable MIME types. Since then, other
/// browsers have introduced it, even if their MIME sniffing algorithms were
/// less aggressive.
///
/// Site security testers usually expect this header to be set.
"#,
"x-content-type-options";
r#"
/// Controls DNS prefetching.
///
/// The `x-dns-prefetch-control` HTTP response header controls DNS
/// prefetching, a feature by which browsers proactively perform domain name
/// resolution on both links that the user may choose to follow as well as
/// URLs for items referenced by the document, including images, CSS,
/// JavaScript, and so forth.
///
/// This prefetching is performed in the background, so that the DNS is
/// likely to have been resolved by the time the referenced items are
/// needed. This reduces latency when the user clicks a link.
"#,
"x-dns-prefetch-control";
r#"
/// Indicates whether or not a browser should be allowed to render a page in
/// a frame.
///
/// Sites can use this to avoid clickjacking attacks, by ensuring that their
/// content is not embedded into other sites.
///
/// The added security is only provided if the user accessing the document
/// is using a browser supporting `x-frame-options`.
"#,
"x-frame-options";
r#"
/// Stop pages from loading when an XSS attack is detected.
///
/// The HTTP X-XSS-Protection response header is a feature of Internet
/// Explorer, Chrome and Safari that stops pages from loading when they
/// detect reflected cross-site scripting (XSS) attacks. Although these
/// protections are largely unnecessary in modern browsers when sites
/// implement a strong Content-Security-Policy that disables the use of
/// inline JavaScript ('unsafe-inline'), they can still provide protections
/// for users of older web browsers that don't yet support CSP.
"#,
"x-xss-protection";
}
fn constantize(s: &str) -> String {
let parts = s.split("-").map(|s| {
s.chars().enumerate().map(|(n, c)| {
if n == 0 {
c.to_uppercase().to_string()
} else {
c.to_string()
}
})
});
let mut res = String::new();
for part in parts {
res.extend(part);
}
res
}
fn upcase(s: &str) -> String {
let mut ret = String::new();
for ch in s.chars() {
if ch == '-' {
ret.push('_');
} else {
for ch in ch.to_uppercase() {
ret.push(ch);
}
}
}
ret
}
pub fn main() {
for &(doc, string) in HEADERS.iter() {
println!("{}", &doc[1..doc.len()-5]);
println!(" ({}, {}, {:?});", constantize(string), upcase(string), string);
println!("");
}
}