HTTP header hygiene refers to the practice of using HTTP headers to enhance web security and performance by properly configuring and implementing headers that enforce security policies, provide necessary information about the client and server, and control caching and other response behaviors, but not more then is needed.
HTTP headers included in transactions must adhere to the principle:
Only transmit HTTP headers that are necessary for the functioning of the HTTP protocol and the web application.
(NCSC; U/PW.02 principle 4)
Important Notes
-
This list is not exhaustive. Additional headers may be required depending on specific application or integration needs (e.g., FHIR version negotiation, content encoding, CORS, etc.).
-
Any custom or non-standard headers must be documented and justified for their relevance to the functioning of the service.
-
Headers revealing internal infrastructure details (e.g., Server, X-Powered-By) must not be exposed unless strictly necessary.