Is Strict-Transport-Security HTTP header name case-sensitive?

Question

I'm digging into the HTTP Strict-Transport-Security specification, https://www.rfc-editor.org/rfc/rfc6797

It specifies the syntax of the header like this:

Strict-Transport-Security: max-age=15768000 ; includeSubDomains

The RFC specifies that directive names such as "max-age" are case-insensitive, but does explicitly state whether the header name, "Strict-Transport-Security", is case-sensitive. Are there any more general rules to govern that? Or perhaps I'm missing something in the RFC?

score 3 · Accepted Answer · edited Oct 07 '21 at 07:34

3

All HTTP header field names are case-insensitive. RFC 7230 § 3.2 states:

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

edited Oct 07 '21 at 07:34

Community

1

answered May 26 '15 at 14:48

Michael Hampton

244,070
43
506
972

Is Strict-Transport-Security HTTP header name case-sensitive?

1 Answers1