User Information

An HTTP request can include any number of optional headers. These headers are typically used to provide more information about the client which in turn allows the server to better handle the request. For example, a client may wish to send the "Accept-Language: da" header to tell the server that documents in the Danish language are preferred. Supplying additional header information with each request can greatly improve the interaction between the client and server. However, there are a few such headers which can unknowning to a user expose private information.

The User-agent header is used to provide information about the web browser software and the type of computer system being used. An example value of this header would be "Mozilla/3.0 (Win95; I)". This agent value says that the web browser is Netscape Navigator (code-named Mozilla) version 3.0 running on the Windows 95 operating system. When this agent information is received, a web server can provide custom output based on the features known to be supported in the particular version of the software. While this can be a useful feature, there may be cases where the user may not want to reveal this information. However, with most web browsers it is very difficult or impossible to modify or not send the User-Agent header.

It should also be noted that Internet Explorer identifies itself as "Mozilla" to ensure that web servers send it all the features that are normally sent to Netscape Navigator. An example Internet Explorer agent would be "Mozilla/4.0 (compatible; MSIE 4.0b1; SunOS 5.5 sun4u; X11)", which means Microsoft Internet Explorer version 4.0b1 running on the SunOS 5.5 operating system using the sun4u architecture and the X11 window system. It is also claims to be compatible with all the features present in Netscape Navigator (Mozilla) version 4.0.

Another header that exposes user information is the Referer[sic] header. The Referer header is used to provide the URL of the immediately preceding web page and is typically sent by web browsers with each request. The contents of this header can be used by web site administrators to build useful statistics such as determining which web pages are used to reach other pages and which external web sites link to local web pages. Web pages can also be modified to include a customized link back to the previous page to improve site navigation. The downside to the Referer header is that browsers do not provide a way to disable when and how this header is sent. For example, a user may not want SiteA to know that it was reached by following a link from SiteB. There are also cases where browsers send a Referer header even when there is no link between the two URLs. This happens when a URL is manually entered and the URL of the page currently being viewed is sent as a Referer just as if the URL were a link on the page. Even though the HTTP 1.1 specification recommends that web browsers should make sending Referer information optional, most web browsers do not provide this option.